CVE-2018-15123

Vulnerability

The Zipato Zipabox Smart Home Controller (BOARD REV -1, System Version -118) stores its configuration in an insecure manner [1]. This vulnerability resides in the device's handling of configuration data, allowing an attacker who gains access to the configuration storage to manipulate device settings. No authentication or other prerequisites are mentioned beyond remote network access to the device.

Exploitation

An unauthenticated attacker can remotely exploit the insecure configuration storage by accessing the configuration data without proper authorization [1]. The specific attack vector is not detailed in the reference, but the advisory indicates that the attacker can leverage insecure storage to then perform further actions to take control of the device.

Impact

Successful exploitation allows the attacker to take full control of the Zipabox device and, consequently, the entire connected smart home system [1]. This can lead to unauthorized manipulation of smart home functions, data disclosure, and physical actions (e.g., unlocking doors, disabling alarms).

Mitigation

The vendor notified Kaspersky that some vulnerabilities were fixed as of June 6, 2018 [1]. However, the advisory was published in August 2018 and suggests that the fix may not fully address this specific issue or that some systems remain unpatched. Users should contact Zipato to confirm the availability of a firmware update that addresses insecure configuration storage, as no explicit workaround is provided.