CVE-2022-33321 refers to the Cleartext Transmission of Sensitive Information vulnerability that occurs due to the use of Basic Authentication over HTTP connections in an extensive range of Mitsubishi Electric consumer electronics products. This vulnerability allows a remote unauthenticated attacker to gain access to sensitive information in these products or even cause a denial of service (DoS) condition by sniffing credential information (username and password). The sheer number of models and versions affected make this vulnerability particularly concerning for users.

Affected Products

The vulnerability affects several Mitsubishi Electric consumer electronics products, including but not limited to:

Air Purifier

To find the specific models and versions affected by this vulnerability, refer to Mitsubishi Electric's advisory, which is listed in the [References] section below.

Exploit Details

This vulnerability originates from the use of Basic Authentication for HTTP connections, which sends the username and password in base64 encoded cleartext. Because the information is not encrypted, an attacker can easily intercept it while it is being transmitted. The attacker can then decode the base64 encoded string to obtain plaintext username and password information, allowing unauthorized access to the affected product. Additionally, an attacker can use this information to cause a denial of service (DoS) condition, crippling the functionality of the affected device.

Proof of Concept (PoC)

The following code snipplet demonstrates the transmission of the username and password via Basic Authentication over HTTP connection:

import base64
import requests

username = "your_username"
password = "your_password"

# Encoding username and password in base64
credentials = f"{username}:{password}"
encoded_credentials = base64.b64encode(credentials.encode()).decode()

# Sending HTTP request with Basic Authentication
request_headers = {"Authorization": f"Basic {encoded_credentials}"}
response = requests.get("http://url_to_your_device";, headers=request_headers)

print(response.text)

Mitigation

To mitigate this vulnerability, Mitsubishi Electric advises users to update their devices with the latest firmware, which implements a more secure authentication mechanism. Users should also ensure that they are using secure network connections to minimize the risk of credential theft.

Additionally, users should promptly change their default login credentials and keep track of any suspicious activity on their devices.

References

- Mitsubishi Electric Security Advisory
- CVE-2022-33321 Details
- NVD - CVE-2022-33321

Conclusion

CVE-2022-33321 is a critical vulnerability affecting a wide range of Mitsubishi Electric consumer electronics products. By exploiting this vulnerability, an attacker can compromise sensitive information and cause a denial of service (DoS) condition. Users of the affected products are urged to apply all available updates and follow the recommended mitigation strategies to protect their devices from potential attacks.

Timeline

Published on: 11/08/2022 20:15:00 UTC
Last modified on: 01/09/2023 19:48:00 UTC