1. EXECUTIVE SUMMARY
- CVSS v3 5.4
- ATTENTION: Exploitable with adjacent access/low attack complexity
- Vendor: Zebra Technologies
- Equipment: ZTC Industrial ZT410, ZTC Desktop GK420d
- Vulnerability: Authentication Bypass Using an Alternate Path or Channel
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to send specially crafted packets to change credentials without any prior authentication.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Zebra ZTC industrial and desktop printers are affected:
- ZTC Industrial ZT410: All versions
- ZTC Desktop GK420d: All versions
3.2 Vulnerability Overview
3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288
A vulnerability of authentication bypass has been found in Zebra Technologies ZTC Industrial ZT410 and ZTC Desktop GK420d. This vulnerability allows an attacker that is in the same network as the printer to change the username and password for the web page by sending a specially crafted POST request to the setvarsResults.cgi file. For this vulnerability to be exploitable, the printer’s protected mode must be disabled.
CVE-2023-4957 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Phosphorus Cybersecurity reported this vulnerability to CISA.
<
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: