[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Programi Bilanc - Build 007 Release 014 31.01.2020 - Software-update packages are downloaded vi
From: Georg Ph E Heise via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2020-12-17 11:54:58
Message-ID: KZxiRspNiQ6Vd7ICj6WFHMr0J1YVHidTVRRFJoVY6p64gxowoVzYd4hhD2FngWqdZJ7dBL7slR1yiJcihBi8aSqMFnSt71Vx7ei1j_XVPwg= () protonmail ! com
[Download RAW message or body]
Programi Bilanc - Build 007 Release 014 31.01.2020 - Software-update packages are downloaded \
via unencrypted HTTP
===============================================================================
Identifiers
-------------------------------------------------
CVE-2020-11718
Vendor
-------------------------------------------------
Balanc Shpk (https://bilanc.com)
Product
-------------------------------------------------
Programi Bilanc
Affected versions
-------------------------------------------------
Programi Bilanc - Build 007 Release 014 31.01.2020 and below
Credit
-------------------------------------------------
Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH)
Vulnerability summary
-------------------------------------------------
Programi Bilanc - Build 007 Release 014 31.01.2020 and downloads software updates via \
unencrypted channels and allows attackers to manipulate this process.
Technical details
------------------------------------------------
An attacker is able to intercept the process of downloading software updates and replace it \
with their own manipulated software as it is not protected agains manipulation (unsigned code)
Proof of concept
-------------------------------------------------
Withheld
Solution
-------------------------------------------------
Don't use the software in its current version & contact vendor for a solution
Timeline
-------------------------------------------------
Date| Status
------------|--------------------
01–APR-2020 | Reported to vendor
30-JUN-2020 | End of 90 days Full Disclosure Time
17-DEZ-2020 | FULL disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic