Posted on Leave a comment

VU#176301: Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App

CWE 798:୕se of Hard-Coded Credentials – CVE–2018-5399 The DCU 210E firmware contains an undocumented Dropbear SSH server with a hardcoded username and password. The password is easily susceptible to cracking. CWE-346:୏rigin Validation Error – CVE–2018-5400 The Auto-Maskin products utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices. CWE-319:ୃleartext Transmission of Sensitive Information – CVE–2018-5401 The devices transmit process control information via unencrypted Modbus communications. CWE-319:ୃleartext Transmission of Sensitive Information – CVE–2018-5402 The embedded webserver uses unencrypted plaintext for the transmission of the administrator PIN.

What are your thoughts?