CVE-2018-11629

Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:lutron:stanza_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:lutron:stanza:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:lutron:radiora_2_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:lutron:radiora_2:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:lutron:homeworks_qs_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:lutron:homeworks_qs:-:*:*:*:*:*:*:*

History

07 Nov 2023, 02:51

Type Values Removed Values Added
Summary ** DISPUTED ** Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine. Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine

Information

Published : 2018-06-02 13:29

Updated : 2024-08-05 09:15


NVD link : CVE-2018-11629

Mitre link : CVE-2018-11629

CVE.ORG link : CVE-2018-11629


JSON object : View

Products Affected

lutron

  • radiora_2
  • stanza_firmware
  • homeworks_qs
  • homeworks_qs_firmware
  • radiora_2_firmware
  • stanza
CWE
CWE-798

Use of Hard-coded Credentials