Dishwasher has directory traversal bug

Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning.

The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE-2017-7240 – aka "Miele Professional PG 8528 - Web Server Directory Traversal.” This is the builtin web server that's used to remotely control the glassware-cleaning machine from a browser.

“The corresponding embedded Web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks,” reads the notice, dated Friday.

Proving it for yourself is simple: Using a basic HTTP GET, fetch...

/../../../../../../../../../../../../etc/shadow

...from whichever IP address the dishwasher has on your network to reveal the shadow password file on its file system. That's pretty sad.

Directory traversal attacks let miscreants access directories and data they really shouldn't be able to reach, such as sensitive configuration files and similar stuff. This information can be exploited to potentially wrest control of the at-risk system. In other words, you can use this traversal vulnerability to gain a foothold to potentially hijack the machine and infect it with malware.

It's unclear which libraries or software components Miele used to craft the web server in the dishwasher's firmware. The PG 8528, which boasts "remote service" features and is designed for restaurants and bars, appears to be running a form of embedded Linux. Without a fix from the vendor – for a professional dishwasher – the best option is to make sure the appliance isn't exposed directly to the internet, or otherwise firewall it off from other devices.

And because Miele is an appliance company and not a pure-play IT company, it doesn't have a process for reporting or fixing security bugs. The researcher who noticed the dishwasher's web server vuln – Jens Regel of German company Schneider-Wulf – complains that Miele never responded when he contacted the biz with his findings; he says his first contact was made in November 2016.

Appliance makers: stop trying to connect stuff to networks, you're no good at it. ®

Bootnote

The researcher who discovered the bug, Jens Regel, has stressed that the vulnerable Miele unit is not a household dishwasher, but a commercial-level washer and disinfector. To our mind, that's as bad, if not worse: it's a vulnerability in a business-critical device, still without appropriate attention or responsiveness to security issues.