There are, of course, some really good reasons to connect certain devices to the Internet. For example, remotely switching on your A/C a few minutes before you enter your home, instead of leaving it blasting all day.
But does everything need to be connected?
Of course, not. One such example is the latest bug report at Full Disclosure, affecting an Internet-connected washer-disinfector appliance by Germany-based manufacturer Miele.
The Miele Professional PG 8528 appliance, which is used in medical establishments to clean and properly disinfect laboratory and surgical instruments, is suffering from a Web Server Directory Traversal vulnerability.
Jens Regel of German consultancy Schneider & Wulf has discovered the flaw (CVE-2017-7240) that allows an unauthenticated, remote attacker to access directories other than those needed by a web server.
Once accessed, the attacker can steal sensitive information stored on the server and even insert their own malicious code and tell the web server to execute it.
"The corresponding embedded web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, [and] therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aid in subsequent attacks," Regel explained.
Proof-of-Concept Exploit Code Released!
Regel also published proof-of-concept (PoC) exploit code for this vulnerability, which means hackers can now exploit the vulnerability before the vendor issue a patch.
The PoC exploit is simple for anyone to run:
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 to whatever IP the dishwasher has on the LAN.It's unclear which libraries Miele used to craft the Web server, though, according to Regel, he's able to request the embedded system's shadow file – and by extension any file on the filesystem.
The researcher privately disclosed the vulnerability to Miele in November 2016, but did not hear back from the vendor for more than three months. So, it when a fix can be expected (or if it exists) is still unknown.
Therefore, the best option to keep yourself secure is to disconnect the appliance from the Internet for the time being until the patch is released.