Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
The vulnerability classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) consists of the device disclosing the email password in a manner accessible to an unauthenticated remote attacker. A network attack vector without authentication requirements, user interaction, or special conditions means that the exploit can be conducted over the network without any privileges. The detailed mechanism of disclosure (e.g., API response, web interface, unencrypted transmission) was not specified in the manufacturer's description.
An attacker can obtain access to the email account password configured in the device, which may lead to email account takeover, further lateral movement in the network, and violation of confidentiality, integrity, and availability of both the target system and related systems.
Apply patches available from the manufacturer in accordance with references published at https://azure-access.com/security-advisories. Until firmware is updated, it is recommended to isolate devices from public networks and restrict access to them only to trusted network segments.
Azure-Access BLU-IC2 with firmware version up to and including 1.19.5, and Azure-Access BLU-IC4 with firmware version up to and including 1.19.5.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAzure Access Blu Ic2
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic2 Firmware
OSAzure-Access< 1.20Azure Access Blu Ic4
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic4 Firmware
OSAzure-Access< 1.20
Related vulnerabilities
Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4
Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4
Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4
Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4
Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4