Tinycontrol Devices Password Exposure Vulnerability

A vulnerability exists in Tinycontrol devices, specifically in the tcPDU and LAN Controllers LK3.5, LK3.9, and LK4, prior to the latest firmware updates. This vulnerability allows a low-privileged user to access an administrator's password by directly querying a resource that is not available through the graphical interface. The issue arises from improper authentication management, which can be exploited when the default setting of disabling the secondary authentication layer is active.

Impact

Exploitation of this vulnerability allows low-privileged users to read administrator passwords, potentially leading to unauthorized access or actions within the device management interface.

Reproduction

To reproduce this vulnerability, a low-privileged user account can be used to access a specific resource that contains administrator password information. This resource can be reached by sending a direct request that bypasses the graphical interface, taking advantage of the authentication flaw that allows access to sensitive information without proper authorization.

Remediation

Users can update their devices to the latest firmware versions to address this vulnerability. The patched versions are 1.36 for tcPDU, 1.67 for LK3.5 (hardware versions 3.5, 3.6, 3.7, and 3.8), 1.75 for LK3.9 (hardware version 3.9), and 1.38 for LK4 (hardware version 4.0).