CVE-2018-11682

Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:lutron:stanza_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:lutron:stanza:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:lutron:radiora_2_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:lutron:radiora_2:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:lutron:homeworks_qs_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:lutron:homeworks_qs:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:43

Type Values Removed Values Added
References () http://sadfud.me/explotos/CVE-2018-11629 - Third Party Advisory () http://sadfud.me/explotos/CVE-2018-11629 - Third Party Advisory
References () http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf - () http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf -
References () https://reversecodes.wordpress.com/2018/06/02/0-day-tomando-el-control-de-las-instalaciones-de-la-nasa-en-cabo-canaveral/ - Mitigation, Third Party Advisory () https://reversecodes.wordpress.com/2018/06/02/0-day-tomando-el-control-de-las-instalaciones-de-la-nasa-en-cabo-canaveral/ - Mitigation, Third Party Advisory

07 Nov 2023, 02:51

Type Values Removed Values Added
Summary ** DISPUTED ** Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine. Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine

Information

Published : 2018-06-02 13:29

Updated : 2024-11-21 03:43


NVD link : CVE-2018-11682

Mitre link : CVE-2018-11682

CVE.ORG link : CVE-2018-11682


JSON object : View

Products Affected

lutron

  • homeworks_qs_firmware
  • radiora_2_firmware
  • stanza
  • radiora_2
  • homeworks_qs
  • stanza_firmware
CWE
CWE-798

Use of Hard-coded Credentials