Login Sign Up

CVE-2023-46387

7.5 HIGH

📋 TL;DR

LOYTEC LINX-212 and LINX-151 automation servers have an incorrect access control vulnerability in the dpal_config.zml file that allows remote attackers to read sensitive data point configuration information. This affects all versions of these devices. Building automation systems using these devices are vulnerable to information disclosure.

💻 Affected Systems

Products:
  • LOYTEC LINX-212
  • LOYTEC LINX-151
Versions: All versions
Operating Systems: Embedded Linux-based firmware
Default Config Vulnerable: ⚠️ Yes
Notes: These are building automation servers used for controlling HVAC, lighting, and other building systems.

📦 What is this software?

Linx 151 Firmware by Loytec

View all CVEs affecting Linx 151 Firmware →

Linx 212 Firmware by Loytec

View all CVEs affecting Linx 212 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain complete access to building automation system configuration, potentially enabling manipulation of physical systems like HVAC, lighting, or security controls.

🟠

Likely Case

Sensitive configuration data including data point names, addresses, and potentially credentials are exposed, enabling reconnaissance for further attacks.

🟢

If Mitigated

Limited information disclosure with no direct system control, but still reveals system architecture.

🌐 Internet-Facing: HIGH - These devices are often exposed to building networks that may have internet connectivity, and the exploit requires no authentication.
🏢 Internal Only: HIGH - Even internally, the vulnerability allows any network user to access sensitive configuration data.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit involves simple HTTP request to access dpal_config.zml file. Public proof-of-concept code exists in Packet Storm references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: No vendor advisory found in provided references

Restart Required: No

Instructions:

No official patch available. Refer to workarounds and mitigation steps.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate LOYTEC devices on separate VLAN with strict firewall rules preventing external access.

Access Control Lists

all

Implement network ACLs to restrict access to LOYTEC devices only from authorized management stations.

🧯 If You Can't Patch

  • Segment devices on isolated network with no internet access
  • Implement strict firewall rules blocking all unnecessary ports to LOYTEC devices

🔍 How to Verify

Check if Vulnerable:

Attempt HTTP GET request to http://[device_ip]/dpal_config.zml - if file downloads, device is vulnerable.

Check Version:

Check device web interface or use SNMP query to device for firmware version

Verify Fix Applied:

After implementing network controls, verify HTTP GET to dpal_config.zml returns 403/404 or connection refused.

📡 Detection & Monitoring

Log Indicators:

  • HTTP GET requests to /dpal_config.zml
  • Unusual access from unauthorized IP addresses

Network Indicators:

  • HTTP traffic to LOYTEC devices on unusual ports
  • Multiple failed access attempts followed by successful dpal_config.zml download

SIEM Query:

source_ip=* dest_ip=[LOYTEC_IP] http_uri="/dpal_config.zml"

📊 Metadata

CVE ID: CVE-2023-46387
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: November 30, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON