An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11 access control list, by default, allows connections from 127.0.0.1 and 192.168.2.15. If a device is powered on and later connected to a network with DHCP, the device may not be assigned the 192.168.2.15 IP address, leaving the display server accessible by other devices on the network. The exposed X11 display server can then be used to gain root privileges and the ability to execute code remotely by interacting with matchbox-desktop and spawning a terminal. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
When the device is powered on, an X11 server is automatically launched, which listens on all network interfaces on port 6000. The X11 server's default access control list (ACL) allows connections only from addresses 127.0.0.1 and 192.168.2.15. The problem occurs when the device is connected to a network with DHCP after startup — it may then receive an IP address different from 192.168.2.15, and the X11 server remains accessible to other devices on the network without any additional verification. An attacker gaining access to the X11 server can interact with the matchbox-desktop manager, launch a terminal, and thus execute arbitrary code with root privileges.
An unauthenticated attacker can obtain full root privileges on the device and remotely execute arbitrary code (RCE), resulting in complete loss of confidentiality, integrity, and availability of the system.
The manufacturer does not provide patches because the product is no longer supported. It is recommended to isolate devices from the network or implement network segmentation (firewall, dedicated VLAN) that prevents access to port 6000/TCP from outside. If device usage is necessary, ensure that after startup and before connecting to the DHCP network, the device obtains the IP address 192.168.2.15, or implement network-level access control that blocks traffic to port 6000. It is recommended to retire the devices from service and replace them with supported equivalents.
Thermo Fisher Ion Torrent OneTouch 2 (model INS1005527) — affects the firmware and the device itself. The manufacturer no longer supports these devices.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThermofisher Ion Torrent Onetouch 2
HWThermofisherwszystkie wersjeThermofisher Ion Torrent Onetouch 2 Firmware
OSThermofisherwszystkie wersje
Related vulnerabilities
Słabe domyślne hasło root w urządzeniu Thermo Fisher Ion Torrent OneTouch 2
Domyślne słabe poświadczenia w Thermo Fisher Torrent Suite Software
dataTaker DT8x dEX 1.72.007 allows remote attackers to compose programs or schedules, for purposes such as sen...
dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitive credential and configuration informati...
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares i...