CVE-2023-34316 – Delta Electronics InfraSuite Device Master Improper Access Control
https://notcve.org/view.php?id=CVE-2023-34316
An attacker could bypass the latest Delta Electronics InfraSuite Device Master (versions prior to 1.0.7) patch, which could allow an attacker to retrieve file contents. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Electronics InfraSuite Device Master. Authentication is required to exploit this vulnerability. The specific flaw exists within the gateway endpoint, which listens on TCP ports 80 and 443 by default. The issue results from improper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-01 • CWE-284: Improper Access Control •
CVE-2023-30765 – Delta Electronics InfraSuite Device Master Improper Access Control
https://notcve.org/view.php?id=CVE-2023-30765
Delta Electronics InfraSuite Device Master versions prior to 1.0.7 contain improper access controls that could allow an attacker to alter privilege management configurations, resulting in privilege escalation. This vulnerability allows remote attackers to escalate privileges on affected installations of Delta Electronics InfraSuite Device Master. Authentication is required to exploit this vulnerability. The specific flaw exists within the modifyusergroup endpoint. The issue results from improper access control. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. • https://github.com/0xfml/CVE-2023-30765 https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-01 • CWE-284: Improper Access Control •
CVE-2023-34347 – Delta Electronics InfraSuite Device Master Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2023-34347
Delta Electronics InfraSuite Device Master versions prior to 1.0.7 contains classes that cannot be deserialized, which could allow an attack to remotely execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Device-Gateway service, which listens on TCP port 3100 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of an administrator. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-01 • CWE-502: Deserialization of Untrusted Data •
CVE-2023-1135 – Delta Electronics InfraSuite Device Master Incorrect Permission Assignment Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-1135
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could set incorrect directory permissions, which could result in local privilege escalation. This vulnerability allows local attackers to escalate privileges on affected installations of Delta Electronics InfraSuite Device Master. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The product sets incorrect permissions on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2023-1145 – Delta Electronics InfraSuite Device Master Device-DataCollect Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-1145
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Device-DataCollect service, which listens on TCP port 3000 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of an administrator. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 • CWE-502: Deserialization of Untrusted Data •