Summary
A vulnerability was identified in the variTRON password generation algorithm of the debug-interface. The PRNG is initialized with the current Unix Timestamp, thus the resulting password is predictable.
With the password root-access to the UART and ssh Interface can be gained.
The impact is limited, since the debug-interface has to be actively enabled by an authorized user and will be deactivated automatically after the next reboot of the device.
Impact
Unauthorized root-access to the UART and ssh Interface.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| variTRON500 | Firmware <9.0.2.5. | |
| variTRON300 | Firmware <9.0.2.5. | |
| variTRON500 touch | Firmware <9.0.2.5. |
Vulnerabilities
Expand / Collapse allA vulnerability was identified in the password generation algorithm when accessing the debug-interface. An unauthenticated local attacker with knowledge of the password generation timeframe might be able to brute force the password in a timely manner and thus gain root access to the device if the debug interface is still enabled.
Mitigation
Disable the debug-interface to prevent unauthorized root-access to the UART and ssh Interface.
Remediation
Update the affected products to version 9.0.2.5.
Acknowledgments
JUMO GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 10.11.2025 12:00 | Release version. |