Last updated at Wed, 03 Jan 2024 19:17:03 GMT
Rapid7公司. (Rapid7) discovered vulnerabilities in 阿拉丁连接 retrofit kit garage door opener 和 Android mobile application produced by Genie. 受影响的产品包括:
- Aladdin Garage door smart retrofit kit, Model ALDCM
- Android Mobile application ALADDIN Connect, Version 5.65楼2075
Rapid7 initially reported these issues to Overhead Door — the parent company of The Genie 公司 — on August 22nd 2023. 从那时起, members of our research team have worked alongside the vendor to discuss the impact, 决议, 和 a coordinated response for these vulnerabilities.
产品描述
The 阿拉丁连接 garage door opener (Retrofit-kit) is a smart 物联网 solution which allows st和ard electric garage doors to be upgraded to support smart technology for remote access 和 use of mobile applications for opening 和 closing of the garage door.
信贷
The vulnerabilities in Genie 阿拉丁连接 retrofit garage door opener 和 mobile application were discovered by Deral海兰德, Principal 物联网 研究er at Rapid7. They are being disclosed in accordance with Rapid7’s vulnerability disclosure policy after coordination with the vendor.
供应商声明
信任ed for generations by millions of homeowners, The Genie 公司 is committed to security, 和 we collaborate with valued researchers, 例如Rapid7, to respond to 和 resolve vulnerabilities on behalf of our customers.
开发和补救
This section details the potential for exploitation 和 our remediation guidance for the issues discovered 和 reported by Rapid7, so that defenders of this technology can gauge the impact of, 以及缓解措施, 适当地处理这些问题.
Android Application Insecure Storage (CVE-2023-5879) - FIXED
While examining the Android mobile application, 阿拉丁连接, 一般安全问题, Rapid7 found that the user’s password was stored in clear text in the following file:
- / /数据/ com.精灵company.AladdinConnect/shared_prefs/com.精灵.gdocntl.MainActivity.xml
The persistence of this data was tested by logging out 和 rebooting the device. Typically logging out 和 rebooting a mobile device leads to the data being purged from the device. In this case neither the file, nor its contents, were purged. Figure 2 is copy of file content after logout 和 reboot:
剥削
An attacker with physical access to the user’s smartphone (i.e., 通过丢失或被盗的手机), would be able to potentially extract this critical data, allowing access to the user’s service account to control the garage door opener.
修复
To mitigate this vulnerability, users should 设置密码pin码 on the mobile devices to restrict access.
供应商补充说明
This vulnerability is tied to the biometric capability (touch or face recognition).
Mitigation: Update to the latest app upgrade available in the play store. 应用程序版本v5.73
Cross-site Scripting (XSS) injected into 阿拉丁连接 garage door opener (Retrofit-Kit) configuration setup web server console via broadcast SSID name (CVE-2023-5880)
When the Aladdin connect device is placed into Wi-Fi configuration mode, the user web interface used for configuring the device is vulnerable to XSS injection via broadcast SSID names containing HTML 和 or JavaScript.
剥削
This XSS attack via SSID injection method can be done by running a software-based Wi-Fi access point to broadcast HTML or JavaScript as the SSID name such as:
An example of this is shown in Figure 3, using airbase-ng to broadcast the HTML 和 or JavaScript code:
In the example found in Figure 4, a simple alert box is triggered on the Aladdin base unit Wi-Fi configuration webpage from the above SSID name. 也, the image on the right of Figure 4 shows the actual web page source delivered to the end user. No user interaction is needed to trigger this, they only need to view the web page during configuration mode.
也, a denial of service (DoS) of the Wi-Fi configuration page can be accomplished by just broadcasting an SSID containing preventing the web page from being used to configure the device's setup. This corrupted web page is shown in Figure 5:
修复
To mitigate this vulnerability, users should avoid running setup if any oddly named SSIDs are being broadcast in the general vicinity, such as SSIDs containing HTML markup language 和/or JavaScript code in their names.
也, in general the mobile application can be used to set up 和 configure the Garage Door opener. This will avoid any direct interaction with the vulnerable “ Garage Door Control Setup” configuration page.
Additional Notes from the Vendor
This is a very low-impact vulnerability with minimal risk. This can only occur when the owner places the device in the wifi configuration mode for a limited period 和 the intruder operates within the 2.4 GHz b和 distance range during that limited configuration period. The device will not be impacted by the misconfiguration if that were to occur 和 it is fully capable of recovering from misconfiguration. The device cannot be operated with a misconfigured SSID as the device can only be claimed by the owner using the mobile app. There is no vulnerability in the mobile app which is the approved mode of device provisioning.
Mitigation: Use mobile app to configure the device.
Unauthenticated access allowed to web interface for “Garage Door Control Module Setup” page (CVE-2023-5881) - FIXED
This vulnerability allows a user with network access to connect to the 阿拉丁连接 device web server's “Garage Door Control Module Setup” web page 和 alter the Garage doors connected WIFI SSID settings without authenticating.
剥削
The device allows unauthenticated access to Garage Door Control Module Setup configuration page on TCP Port 80, This allows anyone with network access to reconfigure the Wi-Fi settings without being challenged to authenticate. A sample of this access to the configuration web page is shown in Figure 6:
修复
防止剥削, users should only attach the Aladdin Garage door smart retrofit kit to a network they own 和 control. 也, access to this network should not be allowed from any other network source such as the Internet.
Additional Notes from the Vendor
This is a very low-impact vulnerability with minimal risk. This can only occur when the intruder has access to the same local network as the retrofit kit (use the same network router), so the attack vector is limited to local. This web interface is not accessible from the internet. The device cannot be operated with a misconfigured SSID, as the device can only be claimed using the mobile app that an owner would use.
Mitigation: Update the Retrofit device to the latest software version, 14.1.1. Fix was automatically updated on all online devices as of December 2023. Please reach out to customer service to confirm if your device has the update.
Authenticated user access to others users data via service API - FIXED
An authenticated user can gain unauthorized access to other users’ data by querying the following API using a different device ID than their own.
- http://pxdqkls7aj.execute-api.us-east-1.amazonaws.com/Android/devices/879267
Here are sample fields that are potentially viewable data using this method:
Additional Notes from the Vendor
This was resolved immediately after our internal penetration testing detected the issue. This happened because of a recent software update. The fix was applied to the API on 07/25/2023.
缓解:没有
