Zero-Day Advisory

Fortinet Discovers Inhand Networks InConnect Service Broken Access Control Vulnerability

Summary

Fortinet's FortiGuard Labs has discovered a Broken Access Control vulnerability in Inhand Networks InConnect service (ics.inhandnetworks.com).

The InConnect is a simple "plug & play" service which builds secure remote networks for the machines (IPCs, servers, IP cameras, PLCs, HMIs, RTUs, controllers, etc.). Featuring user-friendly interfaces and simple operation, the SaaS (Software as a Service) based solution enables access to the devices anytime from anywhere, and stay connected with the business and with the world.

InHand Networks is a global leader in Industrial IoT with product portfolio including industrial M2M routers, gateways, industrial Ethernet switches, industrial computers and IoT management platforms. It provides complete IoT solutions for various vertical markets including Smart Grid, Industrial Automation, Remote Machine Monitoring, Smart Vending, Smart City, Retail and more.

A Broken Access Control vulnerability has been discovered in Inhand Networks InConnect service. It is caused by inadequate filtering on the user inputs.

Solutions

InHand Networks has fixed the issue.

Timeline

Fortinet reported the vulnerability to InHand Networks on October 27, 2022.

InHand Networks confirmed the vulnerability on November 15, 2022.

InHand Networks patched the vulnerability on March 14, 2023.

References

• https://www.inhandnetworks.com/services/inconnect-secure-remote-connection.html

Acknowledgement

This vulnerability was discovered by Zhouyuan Yang of Fortinet's FortiGuard Labs.

IPS Subscription

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.