Thanks a Miele-on for making everything dangerous, Internet of things security slackers.
Don’t say you weren’t warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it’s accused of ignoring.
The utterly predictable bug report at Full Disclosure details CVE-2017-7240, “Miele Professional PG 8528 – Web Server Directory Traversal”.
“The corresponding embedded Web server ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.”
Proving it for yourself is simple:
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 to whatever IP the dishwasher has on the LAN.
Directory traversal attacks let miscreants access directories other than those needed by a web server. And once they’re in those directories, it’s party time because they can insert their own code and tell the web server to execute it.
It’s unclear which libraries Miele used to craft the Web server, which means without a fix from the vendor – for a dishwasher – the best option is to make sure the appliance isn’t exposed to the Internet.
And because Miele is an appliance company and not a pure-play IT company, it doesn’t have a process for reporting or fixing bugs.
The researcher that noticed the dishwasher’s Web server (please, readers, ponder those three words in succession and tell us they don’t make you want to grab pitchforks), Jens Regel of German company Schneider-Wulf, complains that Miele never responded to his notification, first made in November 2016.