Security problem with ZipaMicro

Beat shared this thanks 48 days ago

Did anybody know about this blackmarble report

@Zipato: please let us know which firmware version is safe! And is the same problem also for Zipabox and Zipatile?


Thanks

Beat

Comments (5)

photo
1

Old news. Already solved. Look at the comment at the end of this article.

photo
1

Dear John Rabbit!!


● Wen, March 20th, 2019: Zipato responded saying issues were fixed.

● Tue, July 2nd, 2019: Public disclosure

This is what is says but for users it would be nice to know in which firmware this is solved?


So if you maybe could bite into your carrot and talk to the zipato guys about it and they then could make an announcement about it?


Just we all feel a bit more safe in these crazy days...


Kind regards


Beat

photo
1

Hi,

Thank you for remembering eating my carrot. So I did.

2 or 3 months ago i saw an announcement about this vulnerability. Can't remember the source, but it was not this company. Appr 6 weeks ago i saw an outline of an article about this. Did looks pretty much the same. Maybe it was a draft. I don't know. However I consider it as being not important for me. So for me, there was no need in reporting it then and now.

BTW, You are right about your remarks that zipato should mention when and where it was fixed. Probably in +/- 1.3.61. However the details of this release were somwhere on this forum but i cannot find them anymore. And keep in mind that fixing the problem always has 2 sides: the firmware and the cloudsoftware. We never see a version indicator of the cloudsoftware and that is sometimes even more important than the firmwareversion. In the cloud your rules and devices, etc are compiled into a (vulnarable) executable.

So statarting to eat my next carrot.

photo
1

Enjoy your carrot...and yes this is helpful information where ever you have digged it out...


Thanks

Beat

photo
1

Researcher here, I check google every now and then just to see what's going with the research. Anyways, the main issues with the API were not resolved in Zipato. They were resolved in the OEM with the Vendor that uses them.


Zipato still has the Pass-The-Hash vulnerability. They did fix the SSH issue but haven't tested it. Check zipato's api docs it still shows SHA1(nonce + SHA1(password)) which is pass the hash.


I was just going off their confirmation email only.

photo