Sebastian Toscano

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** A denial of service condition exists due to SlowLoris attacks. This impacts the availability of the affected systems. **Recommendations** BLU-IC2 versions through 1.19.5 should be updated. BLU-IC4 versions through 1.19.5 should be updated.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** A malfunction exists in the Web UI when an unexpected locale is set via an API. The issue involves setting a locale through an API call, which leads to a Web UI malfunction. The API endpoint used is not specified. The vulnerable parameter or variable is not specified. **Recommendations** Update BLU-IC2 to a version later than 1.19.5. Update BLU-IC4 to a version later than 1.19.5.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** Multiple devices are sharing the same secrets for SDKSocket, which uses TCP port 5000. This could allow unauthorized access or compromise of devices utilizing this communication channel. **Recommendations** Update BLU-IC2 to a version later than 1.19.5. Update BLU-IC4 to a version later than 1.19.5.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The file '/etc/avahi/services/z9.service' is susceptible to arbitrary writes. This allows unauthorized modification of the file. **Recommendations** BLU-IC2 versions through 1.19.5: Update to a newer version. BLU-IC4 versions through 1.19.5: Update to a newer version.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The `/etc/timezone` file can be written to arbitrarily. This allows for potential modification of system-wide timezone settings. **Recommendations** Update BLU-IC2 to a version later than 1.19.5. Update BLU-IC4 to a version later than 1.19.5.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The software exhibits an insufficient password policy. This allows for the use of weak or easily guessable passwords, potentially compromising account security. **Recommendations** For BLU-IC2 versions through 1.19.5, implement a stronger password policy that enforces minimum length, complexity, and regular password changes. For BLU-IC4 versions through 1.19.5, implement a stronger password policy that enforces minimum length, complexity, and regular password changes.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The email server certificate verification is disabled, which allows for trivial man-in-the-middle (MITM) attacks. This poses a catastrophic security risk. **Recommendations** For BLU-IC2 versions through 1.19.5, enable TLS verification. For BLU-IC4 versions through 1.19.5, enable TLS verification.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The software is missing security headers. This can potentially allow for various attacks, though specific details are not provided. **Recommendations** Update BLU-IC2 to a version later than 1.19.5. Update BLU-IC4 to a version later than 1.19.5.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The credits page displayed in the firmware does not accurately reflect the versions in use. **Recommendations** For BLU-IC2 versions through 1.19.5, ensure the firmware version displayed on the credits page is verified against the actual installed version. For BLU-IC4 versions through 1.19.5, ensure the firmware version displayed on the credits page is verified against the actual installed version.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The software experiences systemic internal server errors, resulting in HTTP 500 responses. **Recommendations** Update BLU-IC2 to a version later than 1.19.5. Update BLU-IC4 to a version later than 1.19.5.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The software exhibits a lack of graceful error handling, resulting in HTTP 5xx errors. **Recommendations** For BLU-IC2 versions through 1.19.5, implement robust error handling to prevent the generation of HTTP 5xx errors. For BLU-IC4 versions through 1.19.5, implement robust error handling to prevent the generation of HTTP 5xx errors.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The software is susceptible to a resource lacking authentication issue. This allows unauthorized access to resources. **Recommendations** Update BLU-IC2 to a version later than 1.19.5. Update BLU-IC4 to a version later than 1.19.5.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The software reveals its version information. This could potentially allow attackers to gather information about the system to target it with specific exploits. **Recommendations** Update BLU-IC2 to a version later than 1.19.5. Update BLU-IC4 to a version later than 1.19.5.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The software exhibits a non-compliant TLS configuration. **Recommendations** Update BLU-IC2 to a version later than 1.19.5. Update BLU-IC4 to a version later than 1.19.5.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** A systemic lack of Cross-Site Request Forgery (CSRF) token implementation exists. This complete absence of CSRF protections in BLU-IC controllers allows for trivial account takeover and system manipulation. Cross-Site Request Forgery (CSRF) is a type of web security flaw that allows an attacker to induce a user to perform actions on a web application in which they’re currently authenticated. **Recommendations** BLU-IC2 versions through 1.19.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. BLU-IC4 versions through 1.19.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** The software contains a privilege escalation issue stemming from a SUID-bit binary. This allows for potential unauthorized access and control within the system. **Recommendations** BLU-IC2 versions through 1.19.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. BLU-IC4 versions through 1.19.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** A flaw exists in the upgrade feature that could allow for arbitrary file writing, potentially leading to super user permissions on a device. **Recommendations** BLU-IC2 versions prior to 1.19.5 should be updated. BLU-IC4 versions prior to 1.19.5 should be updated.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** A flaw exists where protocol manipulation could result in a denial of service. **Recommendations** BLU-IC2 versions through 1.19.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. BLU-IC4 versions through 1.19.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 **Description** This issue involves local privilege escalation. The affected software allows an attacker to gain elevated privileges on a system. At the moment, there is no information about the number of potentially affected devices worldwide or any real-world incidents where this issue was exploited. **Recommendations** BLU-IC2 versions through 1.19.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. BLU-IC4 versions through 1.19.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BLU-IC2 versions prior to 1.19.6 BLU-IC4 versions prior to 1.19.6 **Description** Error messages are wrapped in the HTTP header. **Recommendations** Update BLU-IC2 to version 1.19.6 or later. Update BLU-IC4 to version 1.19.6 or later.