Information disclosure in PDQ Manufacturing, Inc. products - CVE-2017-9632
Published: July 31, 2017
Vulnerability identifier: #VU7601
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-9632
CWE-ID: CWE-311
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PDQ Manufacturing, Inc.
Affected software:
ProTouch AutoGloss
ProTouch ICON
ProTouch Tandem
LaserJet
LaserWash AutoXpress Plus
LaserWash AutoXpress
LaserWash 360 Plus
LaserWash 360
LaserWash M5
LaserWash G5 S Series
LaserWash G5
ProTouch AutoGloss
ProTouch ICON
ProTouch Tandem
LaserJet
LaserWash AutoXpress Plus
LaserWash AutoXpress
LaserWash 360 Plus
LaserWash 360
LaserWash M5
LaserWash G5 S Series
LaserWash G5
Detailed vulnerability description
The vulnerability allows remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to insecure transmission of the provided username and password. A remote attacker can disclose arbitrary files on the system.
The weakness exists due to insecure transmission of the provided username and password. A remote attacker can disclose arbitrary files on the system.
How to mitigate CVE-2017-9632
PDQ recommends that users apply the following controls:
- Always make sure any PDQ equipment is not accessible from the Internet; it should be behind a secure firewall.
- Whenever a machine or router is received and installed, always change the default password from the factory settings to a new password unique to the machine. If an existing site is still using the factory default passwords on a machine or router, immediately change the default password to a new, unique, strong password.
- Always set up the system network (router or Wi-Fi) with its security features enabled such that they require a username and password to be able to access the machine network.
- Do not set up the site router with “port forwarding” enabled. This can effectively expose the system to the Internet and may permit an unauthorized person to reach the machine login screen.
- Do not share passwords or write them down in an accessible place where unauthorized users may find them.