← Advisories

OpenBMCS 2.4 Secrets Disclosure

High

Advisory ID

ZSL-2022-5695

Release Date

16 January 2022

Vendor

OPEN BMCS - https://www.openbmcs.com

Affected Version

2.4

CVE

N/A

Tested On

Linux Ubuntu 5.4.0-65-generic (x86_64), Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686), Apache/2.4.41 (Ubuntu), Apache/2.4.25 (Debian), nginx/1.16.1, PHP/7.4.3, PHP/7.0.33-0+deb9u9

Summary

Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board.

Description

The application allows directory listing and information disclosure of some sensitive files that can allow an attacker to leverage the disclosed information and gain full BMS access.

Proof of Concept

openbmcs_diri.txtTXT

Disclosure Timeline

26.10.2021Vulnerability discovered.

17.11.2021Vendor contacted.

15.01.2022No response from the vendor.

16.01.2022Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/165586/OpenBMCS-2.4-Secret-Disclosure.html

[2]https://www.exploit-db.com/exploits/50671

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/217380

Changelog

16.01.2022Initial release

20.01.2022Added reference [1], [2] and [3]