Summary
Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are prone to multiple vulnerabilities which could lead up to a full compromise of the FDS101 device.
Impact
Please consult the CVE Entries above.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| FDS101 for FAdC/FAdCi | Firmware <=1.4.24 |
Vulnerabilities
Expand / Collapse allFrauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a remote code execution (RCE) vulnerability via manipulated parameters of the web interface without authentication. This could lead to a full compromise of the FDS101 device.
Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a path traversal vulnerability of the web interface by a crafted URL without authentication. This enables an remote attacker to read all files on the filesystem of the FDS101 device.
Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a SQL injection vulnerability via manipulated parameters of the web interface without authentication. The database contains limited, non-critical log information.
Mitigation
Security-related application conditions SecRAC
The railway operator must ensure that only authorised personnel or people in the company of authorised personnel have access to the Frauscher Diagnostic System FDS101.
The recommendation is to connect the Frauscher Diagnostic System FDS101 to a network of category 2.
If the Frauscher Diagnostic System FDS101 is connected to a network of category 3 (according to EN 50159:2010), then additional protective measures must be added.
Remediation
Update to FDS102 v2.10.1
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 09/21/2023 08:00 | Initial revision. |