Tinycontrol Devices Basic Authentication Vulnerability Allowing Password Exposure

A vulnerability exists in Tinycontrol devices, including tcPDU and LAN Controllers LK3.5, LK3.9, and LK4, prior to the latest firmware updates. These devices have two authentication mechanisms: one for interface management and another for server resource protection. When the resource protection is disabled, which is the default setting, an unauthenticated attacker on the local network can access usernames and encoded passwords for the interface management portal. This information is available in a JSON file within the HTTP response of the login page. The vulnerability exposes credentials for both normal and admin users.

Impact

Exploitation of this vulnerability allows for unauthorized access to usernames and encoded passwords for the interface management portal, potentially leading to unauthorized actions on the device.

Remediation

Users can update to the latest firmware versions to address this vulnerability. The patched versions are 1.36 for tcPDU, 1.67 for LK3.5, 1.75 for LK3.9, and 1.38 for LK4.