#VU12874 Man-in-the-middle attack in DiskBoss
Vulnerability identifier: #VU12874
Vulnerability risk: Low
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-300
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
DiskBoss
Web applications /
Remote management & hosting panels
Vendor: Flexence
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the usage of plaintext information from the handshake as input for the encryption key used for the encryption of the rest of the session. A remote attacker can conduct man-in-the-middle attack and gain access to potentially sensitive information, such as the authentication credentials.
Mitigation
Install update from vendor's website.
Vulnerable software versions
DiskBoss: 8.8.16
External links
http://github.com/bitsadmin/exploits/tree/master/CVE-2018-5261
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
