Multiple Vulnerabilities in th... Note

Multiple Vulnerabilities in the Deep Sea Electronics DSE855

Trend Micro's ZDI released multiple advisories highlighting vulnerabilities in the Deep Sea Electronics DSE855 communications device.The device allows monitoring via a USB connection and lacks basic authentication measures, leading to configuration backup disclosure.Two additional unauthenticated handlers allow attackers to restart or factory reset the device.Fuzzing the device revealed a stack-based buffer overflow in the handling of boundary values in multipart requests, potentially leading to arbitrary code execution.Another buffer overflow was identified in the handling of values in multipart requests, allowing attackers to overwrite memory and potentially execute arbitrary code.A logic error in boundary value handling resulted in an infinite loop and denial of service.Despite reporting the vulnerabilities to Deep Sea Electronics in January, no patches were released within the 120-day standard ZDI timeframe, prompting the publication of 0-day advisories in June.The device's software is based on the embOS/IP middleware from Segger, which had no apparent authentication mechanism for critical functions.The embedded system lacked exploit mitigations like the NX bit or layout randomization, making it vulnerable to exploitation.ZDI emphasizes the importance of responsible vulnerability disclosure and encourages vendors to implement proper incident response processes.