Login Sign Up

CVE-2023-46389

7.5 HIGH

📋 TL;DR

LOYTEC LINX-212 and LINX-151 automation servers expose sensitive configuration information through an unprotected registry.xml file. This allows remote attackers to read cleartext secrets and configuration details. All versions of these building automation devices are affected.

💻 Affected Systems

Products:
  • LOYTEC LINX-212
  • LOYTEC LINX-151
Versions: All versions
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: These are building automation servers used for HVAC, lighting, and other building control systems.

📦 What is this software?

Linx 151 Firmware by Loytec

View all CVEs affecting Linx 151 Firmware →

Linx 212 Firmware by Loytec

View all CVEs affecting Linx 212 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full access to building automation systems, potentially manipulating HVAC, lighting, security systems, or using credentials to pivot to other networks.

🟠

Likely Case

Attackers steal sensitive configuration data, passwords, and secrets that could be used for further attacks or sold on dark web markets.

🟢

If Mitigated

Limited to information disclosure only, with no ability to modify systems or execute commands.

🌐 Internet-Facing: HIGH - Directly accessible devices expose all configuration secrets to anyone who can reach them.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems can still access sensitive configuration data.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP access to retrieve the registry.xml file. Public proof-of-concept code exists in Packet Storm disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: No vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider workarounds or replacement.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate LOYTEC devices on separate VLANs with strict firewall rules preventing external access.

Access Control Lists

all

Implement IP-based access restrictions to only allow connections from authorized management systems.

🧯 If You Can't Patch

  • Remove devices from internet-facing networks immediately
  • Implement network monitoring for access attempts to registry.xml

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[device-ip]/registry.xml via web browser or curl. If XML configuration data is returned, device is vulnerable.

Check Version:

Check device web interface or consult LOYTEC documentation for version information.

Verify Fix Applied:

After implementing workarounds, verify registry.xml is no longer accessible from unauthorized networks.

📡 Detection & Monitoring

Log Indicators:

  • HTTP GET requests to /registry.xml
  • Unusual access patterns to LOYTEC devices

Network Indicators:

  • External IP addresses accessing internal LOYTEC devices
  • Traffic to registry.xml endpoint

SIEM Query:

source_ip IN (external_ips) AND dest_port=80 AND uri_path='/registry.xml'

📊 Metadata

CVE ID: CVE-2023-46389
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: November 30, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON