| CVE-2005-2572 | 3/21/2024 | According to the tenable Nessus vulnerability
page, it describes exposure of a remote MySQL
database that “User-defined functions in
MySQL can allow a database user to cause
binary libraries on the host to be loaded.” | None | In the 10ZiG Manager implementation,
MySQL is not configured to permit
remote access; therefore, the
database is only accessible by local
processes mitigating the mentioned
exposure. The 10ZiG Manager handles
all database access, including queries
and updates. |
| Misconfigured web
servers allows remote
clients to perform
dangerous HTTP
methods such as PUT
and DELETE. | 10/27/2022 | Lighttpd daemon allows for PUT and DELETE
methods in firmware. | Use “Block Port 80” check
box in Security Settings
applet of firmware and
connect using the Cloud
Connector method. | Disabling port 80 on the firmware
mitigates this issue due to the web
server no longer listening or
responding on that port. |
| Multiple CVE –
InsydeH20 UEFI
Software impacted by
multiple vulnerabilities
in SMM | 3/21/2022 | Multiple vulnerabilities have been found in
Insyde UEFI BIOS. These affect the Insyde H2O
UEFI firmware used on some 10ZiG clients. At
present this effects the 6000q and 6100 series. | Set a UEFI password
Do not allow booting from
USB storage media | Contact 10ZiG Technical Support for
access to updated BIOS or details as
per suggested solution. |
| CVE-2021-44228 | 12/13/2021 | Apache Log4j2 <=2.14.1 JNDI features used in configuration,
log messages, and parameters do not protect against attacker
controlled LDAP and other JNDI related endpoints. An
attacker who can control log messages or log message
parameters can execute arbitrary code loaded from LDAP
servers when message lookup substitution is enabled. | 10ZiG current releases, to
include the 10ZiG Manager,
NOS-64, PKOS-64, PKOS (32-
bit), RePurpOS, and 10ZiG's
stock Windows 10 builds do not
contain Log4j. | On completion of the investigation 10ZiG
confirm that the products and tested versions
do not contain presence of Log4j and are not
at risk of this security vulnerability.
However due to the wide array of firmware
and software versions in deployment,
customers are advised to satisfy their own
security requirements and perform security
audits, focusing first on internet- facing
devices and services. |
| Misconfigured web
servers allows remote
clients to perform
dangerous HTTP methods
such as PUT and DELETE. | 1/15/2020 | Enabled PUT method: This might allow an attacker to
upload and run arbitrary code on this web server. -
Enabled DELETE method: This might allow an attacker
to delete additional files on this web server. | Limit access to web server | We use WebDAV for client
management. We store new packages
in this directory during the update
process. The /upload directory is a
temporary directory that is used by our
management software during the
upgrade process. It is
created/recreated during a system
reboot so any files in the directory will
be lost during the reboot process.
While it is possible to Put/Delete files
on the webserver, the /upload directory
is not browsable so it is not possible to
execute any malicious code/scripts that
might be placed in the directory. |
| CVE 2018-19052 | 1/13/2020 | An issue was discovered in
mod_alias_physical_handler in mod_alias.c in lighttpd
before 1.4.50. There is potential ../ path traversal of a
single directory above an alias target, with a specific
mod_alias configuration where the matched alias
lacks a trailing '/' character, but the alias target
filesystem path does have a trailing '/' character. | Upgrade lighttpd web
server | Upgrade lighttpd web server to 1.4.54 |
| CVE-2018-15599 | 10/18/2019 | The recv_msg_userauth_request function in svr-auth.c
in Dropbear through 2018.76 is prone to a user
enumeration vulnerability because username validity
affects how fields in SSH_MSG_USERAUTH messages
are handled, a similar issue to CVE-2018-15473 in an
unrelated codebase. | Upgrade dropbear SSH
server | Upgrade dropbear SSH server to
v2018.76 |
| SSH server ciphers | 11/30/2019 | Dropbear SSH server not compatible with latest SSH
cipher suites | Upgrade dropbear SSH
server | Upgrade dropbear SSH server to
v2018.76 |
| CVE-2017-9079 | 12/1/2019 | Dropbear before 2017.75 might allow local users to
read certain files as root, if the file has the
authorized_keys file format with a command= option.
This occurs because ~/.ssh/authorized_keys is read
with root privileges and symlinks are followed. | Upgrade dropbear SSH
server | Upgrade dropbear SSH server to
v2018.76 |
| CVE-2017-9078 | 12/1/2019 | The server in Dropbear before 2017.75 might allow
post-authentication root remote code execution
because of a double free in cleanup of TCP listeners
when the -a option is enabled. | Upgrade dropbear SSH
server | Upgrade dropbear SSH server to
v2018.76 |
| CVE-2000- 0869
CWE-693 | 3/5/2019 | The installation of LightHTTPd enables WebDAV,
which allows remote attackers to list arbitrary
diretories via the PROPFIND HTTP request method. | Limit access to web server | We use WebDAV for client
management. The only directory that
is truly viewable is /upload. We store
new packages in this directory during
the update process. This is a
temporary directory that is created
on a system reboot so any files in the
directory will be lost during the
reboot process.
While it is possible for multiple people
to view webpages provided by the
client, no pages provided by the
server permit any user interaction. As
such, it is not possible to execute a
click-jacking attack against the
webserver. |
| Click Jacking 443 | 7/24/2018 | "Use HTTP X-Frame-Options Send the HTTP
response headers with X-Frame-Options that instruct
the browser to restrict framing where it is not
allowed." | Limit access to web server | The thin client web server is used only
by the management software. Cannot
browse the contents… |
| Empty password
field in
/etc/passwd:User
usbmux [user] | 7/24/2018 | Secure the account with a strong password in case
the account is still in use, provide a strong password.
If it is not in use currently either delete the account
or deactivate it by locking it and setting the login
shell to
/dev/null. Use the following command to deactivate it: | Use secure passwords | These accounts are for internal
use only. And cannot be used to
access the system. |
| SMB Signing
Disabled 445 | 7/24/2018 | Enforce message signing in the host's configuration.
On Windows, this is found in the policy setting
'Microsoft network server: Digitally sign
communications (always)'. On Samba, the setting is
called 'server signing'. See the 'see also' links for
further details. | Remove samba package
from build | NOS - N/A, Fixed in PKOS
>= 12.0.129 |
| Nonexistent Page
(404) Physical Path
Disclosure 443 | 7/24/2018 | Server notification of page which doesn’t exist | Upgrade the web server to the
latest version.Alternatively,
reconfigure the web server to
disable debug reporting. |
| TLS Server Supports TLS
version 1.1 (tlsv1_1-
enabled) | 7/24/2018 | The PCI (Payment Card Industry) Data Security
Standard requires a minimum of TLS v1.1 and
recommends TLS v1.2 | Disable TLS 1.0/1.1 | Fixed in NOS >= 10.12.157; PKOS
>= 12.0.128.5 |
| SHA-1-based
Signature in
TLS/SSL Server
X.509 Certificate (tlsserver-
cert-sig- algsha1) | 7/24/2018 | The SHA-1 hashing algorithm has known weaknesses
that expose it to collision attacks | Stop using signature
algorithms relying on SHA- 1,
such as "SHA1withRSA". | Turn off the SSL server in the
Security Settings of the thin client |
| TLS/SSL Server Is
Using Commonly Used
Prime Numbers (tlsdh-
primes) | 7/24/2018 | The server is using a common or default prime
number as a parameter during the Diffie-Hellman key
exchange. | Configure the server to use a
randomly generated Diffie-
Hellman group. | Turn off the SSL server in the
Security Settings of the thin client |
| TLS/SSL Server
Supports The Use of
Static Key Ciphers
(ssl-static-keyciphers) | 7/24/2018 | The server is configured to support ciphers known as
static key ciphers. | Configure the server to
disable support for static
key cipher suites. | Turn off the SSL server in the Security
Settings of the thin client |
| Unencrypted X11
Service Available
(x11-open-port) | 7/24/2018 | XWindows is an unencrypted protocol, as such it
sends sensitive data in clear text. | Stop the X Server from
listening on TCP ports,
ensure it is running with: -
nolisten tcp | Fixed in NOS >= 10.12.157.6; PKOS
>= 12.0.129 |
| TLS Server Supports
TLS version 1.0
(tlsv1_0-enabled) | 7/24/2018 | The PCI (Payment Card Industry) Data Security
Standard requires a minimum of TLS v1.1 and
recommends TLS v1.2 | Disable TLS 1.0/1.1 | Fixed in NOS >= 10.12.157; PKOS >=
12.0.128.5 |
| Self-signed TLS/SSL
certificate (ssl-selfsigned-
certificate) | 7/24/2018 | Self-signed certificates cannot be trusted by default | Generate a new certificate
usually signed by a trusted
Certification Authority (CA) | 10ZiG uses the certificate to encrypt
communications with the
management software. It is not used
to identify the system. |
| TLS/SSL Server is
enabling the BEAST
attack (ssl-cve-2011-
3389-beast) | 7/24/2018 | Weak ciphers for TLS 1.0/1.1 | The only option is to
disable the affected
protocols (SSLv3 and TLS
1.0). | Fixed in NOS >= 10.12.157; PKOS >=
12.0.128.5 |
| Untrusted TLS/SSL
server X.509
certificate (tlsuntrusted-
ca) | 7/24/2018 | The server's TLS/SSL certificate is signed by a
Certification Authority (CA) that is not well-known or
trusted. | Generate a new certificate
usually signed by a
Certification Authority (CA) | 10ZiG uses the certificate to encrypt
communications with the
management software. It is not used
to identify the system. |
| X.509 Certificate
Subject CN Does Not
Match the Entity
Name
(certificate-commonname-
mismatch) | 7/24/2018 | The subject common name (CN) field in the X.509
certificate does not match the name of the entity
presenting the certificate. | Generate a new certificate
usually signed by a trusted
Certification Authority (CA) | 10ZiG uses the certificate to encrypt
communications with the
management software. It is not used
to identify the system. |
| VNC remote control
service installed
(backdoor-vnc-0001) | 7/24/2018 | AT&T Virtual Network Computing (VNC) provides
remote users with access to the system it is installed
on. | Remove or disable this
service. | In the client VNC control panel
make sure the VNC mode is set
to "Disabled" or "On Demand".
This will close the VNC port. |
| VNC remote control
service installed with
no authentication
(backdoor-vnc-0002) | 7/24/2018 | AT&T Virtual Network Computing (VNC) provides
remote users with access to the system it is installed
on. This installation appears to be using no
authentication mechanism. | Remove or disable this
service. | In the client VNC control panel make
sure the VNC mode is set to either
"Disabled" or "On Demand". This will
close the VNC port. |
