CVE-2023-46381
📋 TL;DR
LOYTEC building automation devices lack authentication for the LWEB-802 web interface via specific URIs, allowing unauthenticated attackers to modify or create GUI projects. This affects all versions of LINX-151, LINX-212, LVIS-3ME12-A1, LIOB-586, LIOB-580 V2, LIOB-588, and L-INX Configurator devices.
💻 Affected Systems
- LINX-151
- LINX-212
- LVIS-3ME12-A1
- LIOB-586
- LIOB-580 V2
- LIOB-588
- L-INX Configurator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of building automation systems allowing attackers to manipulate HVAC, lighting, security systems, or create malicious interfaces that could cause physical damage or safety hazards.
Likely Case
Unauthorized modification of building control interfaces leading to operational disruption, data manipulation, or creation of deceptive control panels.
If Mitigated
Limited impact if devices are isolated behind firewalls with strict network segmentation and access controls.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable URI without any authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01
Restart Required: No
Instructions:
No official patch available. Follow workarounds and mitigation steps.
🔧 Temporary Workarounds
Network Segmentation
allIsolate LOYTEC devices on separate VLANs with strict firewall rules blocking access to lweb802_pre/ URIs.
Access Control Lists
allImplement network ACLs to restrict access to LOYTEC devices to authorized management stations only.
🧯 If You Can't Patch
- Implement strict network segmentation and zero-trust architecture around LOYTEC devices
- Deploy intrusion detection systems monitoring for access to lweb802_pre/ URIs and unusual project modifications
🔍 How to Verify
Check if Vulnerable:
Attempt HTTP GET request to http://<device_ip>/lweb802_pre/ - if accessible without authentication, device is vulnerable.Check Version:
Check device firmware version via web interface or serial console (vendor-specific commands vary by model)Verify Fix Applied:
Verify network controls block access to lweb802_pre/ URI and only authorized systems can reach LOYTEC devices.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /lweb802_pre/ paths
- Unauthenticated access to LOYTEC web interfaces
- Unexpected project file modifications
Network Indicators:
- HTTP traffic to LOYTEC devices on unusual ports
- Requests containing lweb802_pre in URI
SIEM Query:
source="LOYTEC" AND (uri="*lweb802_pre*" OR status="401" OR status="403")🔗 References
- http://packetstormsecurity.com/files/175646/LOYTEC-Electronics-Insecure-Transit-Insecure-Permissions-Unauthenticated-Access.html
- https://seclists.org/fulldisclosure/2023/Nov/0
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01
- https://www.txone.com/blog/ten-unpatched-vulnerabilities-in-building-automation-products-identified-by-txone-networks/
- http://packetstormsecurity.com/files/175646/LOYTEC-Electronics-Insecure-Transit-Insecure-Permissions-Unauthenticated-Access.html
- http://seclists.org/fulldisclosure/2023/Nov/0
- https://seclists.org/fulldisclosure/2023/Nov/0
- https://www.txone.com/blog/ten-unpatched-vulnerabilities-in-building-automation-products-identified-by-txone-networks/
