← Advisories

Delta Controls enteliTOUCH 3.40.3935 Cookie User Password Disclosure

Medium
Advisory ID
ZSL-2022-5704
Release Date
14 April 2022
Vendor
Delta Controls Inc. - https://www.deltacontrols.com
Affected Version
3.40.3935, 3.40.3706, 3.33.4005
CVE
CVE-2022-29733
Tested On
DELTA enteliTOUCH
Summary

enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS.

Description

The application suffers from a cleartext transmission/storage of sensitive information in a Cookie. This allows a remote attacker to intercept the HTTP Cookie authentication credentials through a man-in-the-middle attack.

Proof of Concept
entelitouch_cookie_pwd.txtTXT
Disclosure Timeline
06.04.2022Vulnerability discovered.
06.04.2022Vendor contacted.
13.04.2022No response from the vendor.
14.04.2022Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/50880
[2]https://packetstormsecurity.com/files/166729/
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/224336
[4]https://cxsecurity.com/issue/WLB-2022040067
[5]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29733
[6]https://nvd.nist.gov/vuln/detail/CVE-2022-29733
Changelog
14.04.2022Initial release
20.04.2022Added reference [1], [2], [3] and [4]
29.05.2022Added reference [5] and [6]