go to Content
:::

TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center

:::

Date:
Font-stze:

ECOA BAS controller - Missing Encryption of Sensitive Data

TVN ID TVN-202109018
CVE ID CVE-2021-41302
CVSS 7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Products ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Description ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
Solution Contact tech support from ECOA.
Credit Gjoko Krstic(Zero Science Lab)
Public Date 2021-09-30
Top