Microhard Gateway Config Download Vulnerability (ZSL-2018-5484) Advisory

Vulnerability Key Information CVE Identifier: ZSL-2018-5484 Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download Type: Local/Remote Impact: Exposure of System Information, Privilege Escalation, Exposure of Sensitive Information, DoS, Security Bypass Risk Level (4/5): 4/5 Release Date: 17.07.2018 Summary The Microhard Systems 3G/4G cellular Ethernet and serial gateway configuration download vulnerability can be exploited by an authenticated attacker under certain conditions. This allows the attacker to download system backup configuration files such as and from multiple locations, resulting in disclosure of sensitive information and potential privilege escalation. Affected Versions IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.0 build 1086 Bullet-3G 1.2.0 build 1032 Bullet-3G 1.2.0 build 1036 BulletPlus 1.3.0 build 1036 Dragon-LTE 1.1.0 build 1036 Vendor Status 13.03.2018: Vulnerability discovered and vendor contacted. 09.05.2018: No response from Microhard Systems. 10.05.2018: Vendor contacted again. 24.05.2018: No response from Microhard Systems. 25.05.2018: Vendor contacted again. 16.07.2018: No response from Microhard Systems. 17.07.2018: Public security advisory released. Contact: lab@zeroscience.mk References 1. https://www.exploit-db.com/exploit/45036/ 2. https://packetstormsecurity.org/files/148573 3. https://exchange.xforce.ibmcloud.com/vulnerabilities/146623 4. https://cxsecurity.com/issue/WLB-2018070164

Goal Reached Thanks to every supporter — we hit 100%!

Microhard Gateway Config Download Vulnerability (ZSL-2018-5484) Advisory