SITEL CAP/PRX cleartext transmission of sensitive information

Posted date 13/05/2021
Importance
3 - Medium
Affected Resources

CAP/PRX, firmware version 5.2.01.

Description

INCIBE has coordinated the publication of a vulnerability in the CAP/PRX device, with the internal code INCIBE-2021-0181, which has been discovered by the Industrial Cybersecurity team of S21sec, special mention to Aarón Flecha Menéndez and Luis Martín Liras, as an independent researcher.

CVE-2021-32456 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Solution

The fix for this vulnerability is available as of version 1.2 of the CAP-PRX-NG platform.

Detail

The authentication process of legitimate users to CAP/PRX web panel is performed using HTTP, and therefore the access credentials go in plaintext.

An attacker with access to the local network of the device, or the device user´s computer, could obtain the authentication passwords by analysing the network traffic.

This vulnerability has been corrected in the affected products through SITEL's continuous improvement processes.

CWE-319: Cleartext Transmission of Sensitive Information.

Timeline:

11/08/2017 - Researchers disclosure.
02/10/2020 - Researchers contact with INCIBE.
08/02/2021 - SITEL confirms the vulnerability to INCIBE and the publication of the corrective version and the new software version (security patch).
13/05/2021 - INCIBE publishes the advisory.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración

References list
Product sheet
El camino del reporte (Episodio I), El poder en remoto
Etiquetas