Skip to main content

 We are happy to announce that Ingenico has fixed vulnerabilities, discovered by our team.

Ingenico (Telium2 OS):

CVE-2018-17767 - Hardcoded PPP credentials. CVSS v3.1 Base Score: 5.1, Vector AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVE-2018-17771 - Hardcoded FTP credentials. CVSS v3.1 Base Score: 4.9, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CVE-2018-17774 - Insecure NTPT3 protocol. CVSS v3.1 Base Score: 4.9, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CVE-2018-17768 - Insecure TRACE protocol. CVSS v3.1 Base Score: 5.1, Vector AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVE-2018-17765 - Undeclared TRACE protocol commands. CVSS v3.1 Base Score: 3.8, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE-2018-17766 - NTPT3 protocol - file reading restrictions bypass. CVSS v3.1 Base Score: 2.4, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CVE-2018-17769 - Buffer overflow via the 0x26 command of the NTPT3 protocol. CVSS v3.1 Base Score: 4.9, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CVE-2018-17770 - Buffer overflow via the ‘RemotePutFile’ command of the NTPT3 protocol. CVSS v3.1 Base Score: 4.9, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CVE-2018-17772 - Arbitrary code execution via the TRACE protocol (r/w memory). CVSS v3.1 Base Score: 7.6, Vector AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2018-17773 - Buffer overflow via SOCKET_TASK in the NTPT3 protocol. CVSS v3.1 Base Score: 8.3, Vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

The only evidence that indicates the patched version and the fact of the patch itself is this part of HackerOne intercommunication with Ingenico Security Team: 

We will keep you updated!

Comments

Popular posts from this blog

Welcome to our new website!

Throughout our careers, we’ve met with great gaps in information. None more so than in payment security. Each and every one of us interacts with payment technology every day. Yet most of us, haven’t a clue how they work. We have grand hopes for this to be a source of knowledge on payment security. For anyone just a little bit interested in learning more about payments. In addition to this website you can find us on twitter Leigh-Anne Galloway (@L_AGalloway) and Tim Yunusov (@a66ot). We’ll be updating this website regularly, and Leigh-Anne has plans for a book.
Visa Vulnerability


Last week Forbes published a feature on the vulnerability we discovered in Visa cards. If you haven’t read it, head over to Forbes. Tom Brewster put together an amazing video describing how the vulnerability can be exploited. https://www.forbes.com/sites/thomasbrewster/2019/07/29/exclusive-hackers-can-break-your-credit-cards-30-contactless-limit/ We found a way to circumvent the limits imposed on contactless …