Denial of Service Due to SlowLoris.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
The SlowLoris technique involves maintaining a large number of HTTP connections open for as long as possible by sending request headers slowly. The HTTP server on the vulnerable device exhausts the pool of available connections and stops responding to new requests. The vulnerability does not require authentication or any user interaction, and the attack can be performed remotely over the network (AV:N, AC:L).
An attacker can completely disable network services on the device (Denial of Service), which in access control environments can result in inability to manage the device and potentially disrupt physical access control functions.
Apply patches available from the manufacturer according to references published at https://azure-access.com/security-advisories. Until updates are deployed, it is recommended to restrict network access to the device management interface only to trusted hosts (e.g., through firewall or network segmentation).
Azure-Access BLU-IC2 in versions up to and including 1.19.5 and Azure-Access BLU-IC4 in versions up to and including 1.19.5 (along with corresponding firmware).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAzure Access Blu Ic2
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic2 Firmware
OSAzure-Access< 1.20Azure Access Blu Ic4
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic4 Firmware
OSAzure-Access< 1.20
Related vulnerabilities
Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4
Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4
Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4
Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4
Systemiczne błędy wewnętrzne serwera (HTTP 500) w Azure-Access BLU-IC2 i BLU-IC4