SITEL CAP/PRX cleartext transmission of sensitive information
CAP/PRX, firmware version 5.2.01.
INCIBE has coordinated the publication of a vulnerability in the CAP/PRX device, with the internal code INCIBE-2021-0181, which has been discovered by the Industrial Cybersecurity team of S21sec, special mention to Aarón Flecha Menéndez and Luis Martín Liras, as an independent researcher.
CVE-2021-32456 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
The fix for this vulnerability is available as of version 1.2 of the CAP-PRX-NG platform.
The authentication process of legitimate users to CAP/PRX web panel is performed using HTTP, and therefore the access credentials go in plaintext.
An attacker with access to the local network of the device, or the device user´s computer, could obtain the authentication passwords by analysing the network traffic.
This vulnerability has been corrected in the affected products through SITEL's continuous improvement processes.
CWE-319: Cleartext Transmission of Sensitive Information.
Timeline:
11/08/2017 - Researchers disclosure.
02/10/2020 - Researchers contact with INCIBE.
08/02/2021 - SITEL confirms the vulnerability to INCIBE and the publication of the corrective version and the new software version (security patch).
13/05/2021 - INCIBE publishes the advisory.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.
