Share: Email | Twitter

ID

VDE-2019-012

Published

2019-06-04 15:21 (CEST)

Last update

2019-06-04 15:21 (CEST)

Vendor(s)

TECSON/GOK

Product(s)

Article No° Product Name Affected Version(s)
e-litro net all versions
LX-Net all versions
LX-Q-Net all versions
SmartBox 4 LAN all versions
SmartBox 4 LAN PRO all versions

Summary

A security researcher discovered that the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.


Last Update:

18. Februar 2020 09:12

Weakness

Improper Authentication and Access Control  (CWE-287) 

Summary

A security researcher discovered that the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.

Impact

This issue allows changing the configuration and get full access to the web-based configuration interface of the device wich includes all settings like passwords, alerting parameters and output states. That can adversely affect the planned operation of the equipment or can aid in further attacks on the industrial control process.

Solution

Temporary Fix / Mitigation

In secure environments disable port forwarding and remote access to the device otherwise disable network access completely.

Reported by

Maxim Rupp (rupp.it) reported this vulnerability to CERT@VDE.
CERT@VDE coordinated with TECSON.