Beck IPC GmbH IPC@CHIP TelnetD Account Enumeration Vulnerability
The IPC@Chip is a single-chip embedded webserver from Beck GmbH.
The device's inbuilt telnetd service may allow a remote user to confirm names of valid telnet accounts.
When an attacker attempts to login to the telnet service with a given user ID, the attacker receives a prompt for the password only if the supplied account name exists. This confirms for the attacker that the given ID is valid.
In combination with brute-force password techniques, to which this device is reportedly vulnerable, this can permit a remote attacker to compromise arbitrary accounts on the system. Properly exploited, this can lead to a compromise of the device's normal operation.