What vulnerabilities has LOYTEC Electronics GmbH addressed in its LINX series devices?

LOYTEC Electronics GmbH has released security updates to address multiple vulnerabilities in its LINX series devices. These vulnerabilities have high to critical severity ratings, including issues related to cleartext transmissions, improper access controls, and insecure storage of credentials. The most critical flaws include CVE-2023-46383, CVE-2023-46385, CVE-2023-46384, and CVE-2023-46386, all with a CVSS score of 9.3.

Which LOYTEC products are affected by these vulnerabilities?

The vulnerabilities impact all versions of the following LOYTEC products: LINX-151, LINX-212, LVIS-3ME12-A1, LIOB-586, LIOB-580 V2, LIOB-588, and L-INX Configurator.

What actions should users take to mitigate these vulnerabilities?

LOYTEC recommends updating all affected products to version 8.2.8 and following additional actions: disabling HTTP for certain vulnerabilities (CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385), upgrading firmware to the latest version to fix permission and authentication issues, and applying patches as they are released.

Are there specific vulnerabilities with critical severity in LOYTEC products?

Yes, several vulnerabilities have a critical severity rating (CVSS score 9.3): CVE-2023-46383 (HTTP Basic Authentication exposure), CVE-2023-46385 (cleartext transmission of admin credentials), CVE-2023-46384 (insecure permissions allowing access to stored credentials), and CVE-2023-46386 (insecure storage of SMTP client credentials).

Will there be patches or updates for these vulnerabilities?

LOYTEC has released updates to address some of these vulnerabilities, and additional patches are planned. A patch will be released for CVE-2023-46384, and encrypted storage of SMTP credentials will be implemented in an upcoming LINX firmware update for CVE-2023-46386 and CVE-2023-46388.

What are the potential risks if these vulnerabilities are not mitigated?

If not mitigated, these vulnerabilities could allow attackers to exploit critical functions, gain unauthorized access, disclose sensitive information, or modify affected devices, potentially compromising the security of the entire system.

Advisory

CISA reports multiple flaws, including critical in LOYTEC Electronics LINX Series devices

published: Sept. 3, 2024

Take action: Another huge list of flaws affecting multiple products. If you are using LOYTEC LINX products, review the advisory and plan for a patch cycle. Ideally, all your systems should already be isolated in a trusted network, but a patch is still needed for the critical flaws.

Learn More

LOYTEC Electronics GmbH has released security updates to address multiple vulnerabilities in its LINX series devices, which could allow attackers to exploit critical functions and gain unauthorized access to sensitive information. These vulnerabilities, affecting various LOYTEC products, have high to critical severity ratings, including one with a CVSS score of 9.3:

CVE-2023-46380 (CVSS score 8.2): Affects LOYTEC LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2, and LIOB-586 firmware 6.2.3. Devices send password-change requests via cleartext HTTP.
CVE-2023-46382 (CVSS score 8.7): Affects the same devices; cleartext HTTP is used for login.
CVE-2023-46383 (CVSS score 9.3): LOYTEC LINX Configurator 7.4.10 uses HTTP Basic Authentication, exposing usernames and passwords in base64-encoded cleartext.
CVE-2023-46385 (CVSS score 9.3): Cleartext transmission of admin credentials via URL parameters in LINX Configurator 7.4.10.
CVE-2023-46381 (CVSS score 8.8): Affects LOYTEC LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2, and LIOB-586 firmware 6.2.3. Lack of authentication for LWEB-802 allows attackers to edit or create projects and control the GUI.
CVE-2023-46384 (CVSS score 9.3): Insecure permissions in LINX Configurator 7.4.10 allow attackers to access stored credentials in cleartext.
CVE-2023-46386 (CVSS score 9.3): LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 store SMTP client credentials insecurely.
CVE-2023-46387 (CVSS score 8.7): LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 have improper access control via dpal_config.zml.
CVE-2023-46389 (CVSS score 8.7): Improper access control via registry.xml in LINX-212 and LINX-151.

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or modify an affected device, potentially compromising the security of the entire system.

The vulnerabilities impact all versions of the following LOYTEC products:

LINX-151
LINX-212
LVIS-3ME12-A1
LIOB-586
LIOB-580 V2
LIOB-588
L-INX Configurator

LOYTEC recommends updating all affected products to version 8.2.8 and following additional actions:

Disable HTTP for CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385 as per LOYTEC's security hardening guide.
Upgrade firmware to the latest version to fix permission and authentication issues.
A patch will be released for CVE-2023-46384.
Encrypted storage of SMTP credentials will be implemented in the upcoming LINX firmware update for CVE-2023-46386 and CVE-2023-46388.

CISA reports multiple flaws, including critical in LOYTEC Electronics LINX Series devices

Read More
CISA warns of critical flaw in Schneider Electric …
Rockwell Automation fixes critical flaw in AADvance Standalone …
Siemens reports vulnerabilities in SINEC Security Monitor, including …
CISA reports multiple flaws in KUNBUS GmbH Revolution …
Multiple critical vulnerabilities reported in Schneider Electric Modicon …