Chudypd

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to a lack of authentication for a critical function, which could allow an attacker to achieve unauthenticated remote code execution in the context of an administrator. This vulnerability may be exploited by a remote attacker to execute arbitrary code. **Recommendations** For Delta Electronics InfraSuite Device Master versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to critical functions that may be exploited for remote code execution until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to the Device-status service listening on port 10100/UDP by default, accepting unverified UDP packets, and deserializing their content. This could allow an unauthenticated attacker to remotely execute arbitrary code. The vulnerability is associated with the deserialization of untrusted data, which may enable a remote attacker to execute arbitrary code using specially crafted UDP packets. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to port 10100/UDP to minimize the risk of exploitation. Additionally, disabling the Device-status service until a patch is applied may also help mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to a deserialization vulnerability in the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution. This vulnerability is associated with shortcomings in the deserialization mechanism, allowing an attacker to execute arbitrary code by sending specially crafted requests. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Device-DataCollect service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to a deserialization vulnerability in the Device-gateway service, which could allow deserialization of requests prior to authentication, resulting in remote code execution. This vulnerability is associated with shortcomings in the deserialization mechanism, allowing a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Device-gateway service to minimize the risk of exploitation. Avoid using the service for deserialization of untrusted data until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to errors in code generation, allowing an attacker to remotely execute arbitrary code by running Lua scripts. This could enable an attacker to perform unauthorized actions on the affected system. **Recommendations** For Delta Electronics InfraSuite Device Master versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of Lua scripts until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to a command injection vulnerability that could allow an attacker to inject arbitrary commands, potentially resulting in remote code execution. The vulnerability is associated with inadequate data cleaning measures at the management level, which could be exploited by a remote attacker to execute arbitrary code. **Recommendations** For Delta Electronics InfraSuite Device Master versions prior to 1.0.5, update to version 1.0.5 or later to resolve the command injection vulnerability. As a temporary workaround, consider restricting access to the command line interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to improper access control, which could allow an attacker to retrieve Gateway configuration files and obtain plaintext credentials. This could enable unauthorized access to sensitive information. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Gateway configuration files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to insufficient input validation, allowing a low-level user to extract files and plaintext credentials of administrator users. This results in privilege escalation. The vulnerability can be exploited by a remote attacker to elevate their privileges. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and administrator credentials to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to the installation of incorrect directory permissions, which could allow an attacker to escalate their privileges locally. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the directory with incorrect permissions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to insufficient authorization mechanisms in the Device-Gateway service of the Delta Electronics InfraSuite Device Master software. This can be exploited by a remote attacker to escalate privileges by utilizing the Device-Gateway service and bypassing authorization. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Device-Gateway service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to insufficient input validation in the Delta Electronics InfraSuite Device Master software, which could allow an unauthenticated attacker to generate a valid token. This token generation could lead to authentication bypass, potentially enabling a remote attacker to elevate their privileges. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the authentication mechanism until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue is related to a path traversal vulnerability, which could allow an attacker to read local files, disclose plaintext credentials, and escalate privileges. This vulnerability may be exploited by a remote attacker to gain elevated privileges. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation. Avoid using the `CtrlLayerNWCmd ReportFileOperation` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics InfraSuite Device Master versions prior to 1.0.5 **Description** The issue allows an attacker to retrieve system files, credentials, and bypass authentication, resulting in privilege escalation. This can be achieved through URL decoding. Additionally, the vulnerability is related to the restoration of unreliable data in memory, which can be exploited by a remote attacker to execute arbitrary code using specially crafted UDP packets. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive system files and credentials to minimize the risk of exploitation. Avoid using URL decoding to retrieve system files until the issue is resolved.