Bellini/Supercook Wi-Fi Yumi SC200 - Multiple vulnerabilities Reported By: ================================== James McLean - Primary: james dot mclean at gmail dot com Secondary: labs at juicedigital dot net Device Overview: ================================== From http://ift.tt/2a7NCXM "The Bellini.SUPERCOOK Kitchen Master is much more than a multifunctional kitchen machine. It has 13 functions so not only saves a huge amount of time, it also incorporates the Yumi control module and its own recipe collection, making it incredibly easy to use." Vulnerability Overview: ================================== Vuln1) Weak Username/Password for 'root' account. Vuln2) Information disclosure, unauthenticated. Vuln3) Remote arbitrary code execution. CVE ID's ================================== None assigned as yet. Disclosure Timeline ================================== 2016-06-01: Vulnerability assessment commenced. 2016-07-04: Contacted Supercook.me support via Web Contact. No response. 2016-07-12: Contacted Supercook.me support via Web Contact. No response. 2016-07-12: Contacted Supercook Australia via Facebook. Supercook responded, saying they will view the support request. No further response recieved. 2016-07-19: Contacted Supercook Australia via Facebook. No response. 2016-07-21: Posted security assessment to vortex.id.au. 2016-07-22: Mitre contacted, CVE ID's requested. It is with regret, but ultimately due to my concern for the community that own these devices, that due to lack of communication I am disclosing these vulnerabilities without the involvment of the vendor. I sincerely hope that the vendor can resolve these issues in a timely manner. I intend no malice by releasing these vulnerabilities, and only wish to inform the community so appropriate steps may be taken by the owners of these devices. Due to the nature of the firmware on the device, these issues are not likely caused by the vendor themselves. Please do not use the information presented here for evil. Affected Platforms: ================================== Bellini/Supercook Wi-Fi Yumi SC200 - Confirmed affected: Vuln1, Vuln2, Vuln3. Bellini/Supercook Wi-Fi Yumi SC250 - Likely affected, Vuln1, Vuln2, Vuln3, as same firmware is used. As the Wi-fi Yumi firmware appears to be based on a stock firmware image used on a number of other commodity 'IoT' devices, the vulnerabilities described here are very likely to affect other devices with similar or the same firmware.
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment