Lantronix Device Installer XML External Entity Vulnerability Allowing Credential Theft and Host Access

A vulnerability allowing XML external entity (XXE) attacks has been identified in Lantronix Device Installer versions 4.4.0.7 and prior. This vulnerability arises in configuration files read from network devices, potentially allowing an attacker to obtain credentials, access and modify network device configurations, and gain access to the host running the Device Installer software or the password hash of the user executing the application.

Impact

Exploitation of this vulnerability could lead to unauthorized access to network devices, allowing for credential theft and unauthorized configuration changes. Additionally, it could provide access to the host machine running the Device Installer software.

Remediation

Lantronix Device Installer has reached its end of support lifecycle in 2018 and will not receive any further updates or security enhancements. Users are advised to migrate to Lantronix Provisioning Manager, a supported solution, as soon as possible. For additional guidance, CISA recommends minimizing network exposure for control system devices, using firewalls to isolate control system networks from business networks, and employing secure remote access methods such as VPNs.