Skip to main content

Security Vulnerabilities

This page lists known security vulnerablities with DXU.

Known Issue: DXU service can accept unauthenticated settings changes

CVE: CVE-2021-43333

Description

The DXU service, when enabled, exposes endpoints that can be used to change or query the configuration of the device. These endpoints require no authentication. This opens the possibility for malicious code to change device settings or gain information about the device.

No Wi-Fi passwords are exposed by this vulnerability.

Thanks to Cygenta Ltd. for finding this issue.

Mitigation

To avoid this security vulnerability, the DXU service must be disabled. This can be done on your device by performing the following steps:

  1. Open DXU Agent.
  2. Tap on the more icon in the lower right corner. This will cause a black bar pop-up.
  3. Tap "Settings" on the black bar. This will bring up the settings menu.
  4. Tap "Settings" in the menu. This will bring up general DXU agent settings.
  5. Uncheck the "Enable service" checkbox.

On newer devices, such as the Skorpio X5, the service is off by default. On older devices, such as the DL-Axist, the service is on by default.