[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Programi Bilanc - Build 007 Release 014 31.01.2020 - Software-update packages are downloaded vi
From:       Georg Ph E Heise via Fulldisclosure <fulldisclosure () seclists ! org>
Date:       2020-12-17 11:54:58
Message-ID: KZxiRspNiQ6Vd7ICj6WFHMr0J1YVHidTVRRFJoVY6p64gxowoVzYd4hhD2FngWqdZJ7dBL7slR1yiJcihBi8aSqMFnSt71Vx7ei1j_XVPwg= () protonmail ! com
[Download RAW message or body]

Programi Bilanc - Build 007 Release 014 31.01.2020 - Software-update packages are downloaded \
via unencrypted HTTP

===============================================================================

Identifiers

-------------------------------------------------

CVE-2020-11718

Vendor

-------------------------------------------------

Balanc Shpk (https://bilanc.com)

Product

-------------------------------------------------

Programi Bilanc

Affected versions

-------------------------------------------------

Programi Bilanc - Build 007 Release 014 31.01.2020 and below

Credit

-------------------------------------------------

Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH)

Vulnerability summary

-------------------------------------------------

Programi Bilanc - Build 007 Release 014 31.01.2020 and downloads software updates via \
unencrypted channels and allows attackers to manipulate this process.

Technical details

------------------------------------------------

An attacker is able to intercept the process of downloading software updates and replace it \
with their own manipulated software as it is not protected agains manipulation (unsigned code)

Proof of concept

-------------------------------------------------

Withheld

Solution

-------------------------------------------------

Don't use the software in its current version & contact vendor for a solution

Timeline

-------------------------------------------------

Date| Status

------------|--------------------

01–APR-2020 | Reported to vendor

30-JUN-2020 | End of 90 days Full Disclosure Time

17-DEZ-2020 | FULL disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic