Tuesday, March 28, 2017

Dishwasher has a 20 year old security bug

The Internet of Lousy Things shows once again that security wasn't an afterthought, it wasn't thought of at all:
Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning. 
The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE-2017-7240 – aka "Miele Professional PG 8528 - Web Server Directory Traversal.” This is the builtin web server that's used to remotely control the glassware-cleaning machine from a browser. 
“The corresponding embedded Web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks,” reads the notice, dated Friday. 
Proving it for yourself is simple: Using a basic HTTP GET, fetch...
/../../../../../../../../../../../../etc/shadow
...from whichever IP address the dishwasher has on your network to reveal the shadow password file on its file system. That's pretty sad.
This attack was the 'sploit hotness in 1997.  Congratulations, Miele: you have a 20 year old security bug in your shiny brand new dishwasher.


2 comments:

Coyote Hubbard III said...

I have a Miele vacuum. As far as I know, its not net-aware at least.

Ted said...

I have a Miele washer / dryer also not net aware. OTOH it might be nice if my dishwasher notified me when it was finished with its 3 hour cycle . ..... but since that is normally at 1am it's not really important. So having net aware appliances ??? Not important / not paying extra to have.