Miele is working to mitigate a path traversal vulnerability a researcher released with proof-of-concept (PoC) exploit code.
The vulnerability affects the embedded webserver (“PST10 WebServer”) in Miele Professional PG 8528, a large capacity cleaner and disinfector used in hospitals and laboratory settings to disinfect medical and laboratory equipment, according to a report with ICS-CERT.
The path traversal vulnerability is remotely exploitable and could cause a loss of sensitive data and future attacks.
Researcher Jens Regel released this report without coordination with ICS-CERT.
Miele confirmed the vulnerability and is working on mitigations.
ICS-CERT issued the alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
Miele responded to reports saying “Miele dishwashers gateway for hackers” as follows:
“It is true that a security vulnerability was discovered in the course of a penetration test on a Miele machine. This security hole was not however discovered on a dishwasher but on a machine to disinfect medical products and laboratory equipment with the model designation PG 8528. Equally so, this machine cannot be misused as a ‘gateway for hackers’ as it does not have its own connection to the Internet.
“It is true, however, that only persons already inside the user’s internal network have access to data on the PG 8528. This vulnerability pinpointed during the penetration test results in the increased risk of an unauthorized read-out of data. With this data, hackers could possibly be successful in cracking passwords in order to obtain further access to machine software. There are, though, no indications whatsoever that this has indeed been the case on any of the machines affected. Furthermore, the abuse of machine data would neither facilitate access to third-party data nor to other machines or processes in the user’s network. Consequently, the security hole revealed in the course of a penetration test was only designated as being ‘moderately serious.’ ”
For details, click on Miele’s release.