Adding Data Not Encrypted at Rest

bugcrowd · Mar 17, 2024 · 8596c0a · 8596c0a
1 parent a6c75c2
commit 8596c0a
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 0 deletions.
diff --git a/...ption/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md b/...ption/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md
@@ -0,0 +1,22 @@
+# Data Not Encrypted at Rest (Non-Sensitive)
+
+## Overview of the Vulnerability
+
+The device stores non-sensitive data that is not encrypted at rest. Despite the data not being directly exploitable, its accessibility due to lack of encryption allows attackers with physical access to the device to retrieve this information. This exposure could facilitate reverse engineering efforts or aid in future exploitation attempts, indirectly compromising the system's security.
+
+## Business Impact
+
+While the data in question is classified as non-sensitive, its exposure still poses security risks. Unauthorized access to this data can provide attackers with insights into the device's operations or architecture, potentially leading to vulnerabilities being uncovered. This situation can undermine the security posture of the device, leading to increased susceptibility to targeted attacks, erosion of customer confidence, and potential reputational damage.
+
+## Steps to Reproduce
+
+1. Gain physical access to the device and remove the cover as seen in the images below.
+1. Locate the hard drive on the device, and remove it.
+1. Using a external hard drive caddy, mount the device.
+1. Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}
diff --git a/...scription/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md b/...scription/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md
@@ -0,0 +1,22 @@
+# Data Not Encrypted at Rest (Sensitive)
+
+## Overview of the Vulnerability
+
+The device stores sensitive data that is not encrypted at rest, compromising the confidentiality and integrity of the data. This oversight allows an attacker with physical access to the device to easily access and potentially compromise the sensitive data contained within, exposing personal information, secrets, or credentials.
+
+## Business Impact
+
+The absence of encryption for sensitive data at rest on the device poses a significant risk to data confidentiality and integrity. This vulnerability can lead to data breaches, unauthorized access to sensitive information, and potential financial and reputational damages to the organization. It undermines the trust of customers and partners and may result in non-compliance with regulatory requirements related to data protection and privacy.
+
+## Steps to Reproduce
+
+1. Gain physical access to the device and remove the cover as seen in the images below.
+1. Locate the hard drive on the device, and remove it.
+1. Using a external hard drive caddy, mount the device.
+1. Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}