Delta Electronics DIAEnergie CLEARTEXT Transmission of Sensitive Information

Vulnerability

Delta Electronics DIAEnergie, versions prior to 1.9, runs its web application by default on HTTP, transmitting data in cleartext. This cleartext transmission vulnerability (CWE-319) affects version 1.7.5 and earlier, as noted in the advisory [1]. The affected product does not enforce HTTPS by default, exposing all communication between the client and the device.

Exploitation

An attacker with network access to the traffic between a client and the DIAEnergie web interface can passively capture unencrypted HTTP sessions. No authentication or user interaction is required; the attacker only needs to be positioned to observe the network traffic (e.g., on the same local network or via a compromised intermediary). The attacker can then read the transmitted data, including credentials and other sensitive information.

Impact

Successful exploitation allows an attacker to remotely read transmitted information between the client and product, leading to disclosure of sensitive data such as passwords, session tokens, and operational details. While the advisory lists this vulnerability with a CVSS v3 base score of 9.8, the specific cleartext transmission issue contributes to the overall risk of information disclosure.

Mitigation

Delta has released DIAEnergie version 1.9, which addresses this vulnerability. Users should update to version 1.9 or later. If immediate upgrade is not possible, mitigating measures include enforcing HTTPS at the network level (e.g., using a reverse proxy or VPN) and restricting network access to the DIAEnergie interface to trusted hosts only.