Opteev MachineSense FeverWarn contains critical vulnerabilities, one 10/10

MachineSense FeverWarn ecosystem, a system for IoT-based skin temperature scanning, has been identified with several critical vulnerabilities. These flaws could allow attackers to access user data, execute remote code, or gain control of devices for malicious purposes.

Vulnerable components include various versions of FeverWarn, namely ESP32, RaspberryPi, and DataHub RaspberryPi.

Vulnerabilities Overview:

1. Missing Authentication for Critical Function (CVE-2023-6221, CVSS v3 score 7.7): The cloud integration used for multiple MachineSense devices, including FeverWarn, is vulnerable to unauthorized access, potentially exposing source code and credentials.

2. Use of Hard-coded Credentials (CVE-2023-46706, CVSS v3 score 9.1): Multiple MachineSense devices possess unchangeable credentials, posing a high risk.

3. Improper API Protection (CVE-2023-49617, CVSS v3 score 10.0): The MachineSense API lacks necessary authentication, leaving sensitive information vulnerable to unauthorized access and modification.

4. Unauthenticated MQTT Messaging (CVE-2023-49115, CVSS v3 score 7.5): MachineSense devices use insecure MQTT messaging, risking unauthorized remote viewing and monitoring.

5. Improper Access Control (CVE-2023-47867, CVSS v3 score 8.8): FeverWarn devices, as Wi-Fi hosts, could be compromised by nearby attackers through web services.

6. Improper Input Validation (CVE-2023-49610, CVSS v3 score 8.1): Raspberry Pi-based FeverWarn devices are susceptible to command execution or memory buffer overflow due to lack of input sanitization.

FeverWarn, primarily used in the Healthcare and Public Health Sector in the United States, has been discontinued. MachineSense advises users to contact them for further information and take precautions such as minimizing network exposure, isolating control systems, and using secure remote access methods.