Summary
The UWP 3.0 family of Monitoring Gateways and Controllers and the CPY Car Park Server are affected by multiple vulnerabilities in their set-up software, runtime firmware, embedded Web interface.
Impact
An attacker can get full access to the affected devices. See the vulnerability descriptions for details.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| UWP30RSEXXX | Hardware UWP 3.0 Monitoring Gateway and Controller | Firmware <8.5.0.3 |
| UWP30RSEXXXEDP | Hardware UWP 3.0 Monitoring Gateway and Controller – EDP version | Firmware <8.5.0.3 |
| UWP30RSEXXXSE | Hardware UWP 3.0 Monitoring Gateway and Controller – Security Enhanced | Firmware <8.5.0.3 |
| Software CPY Car Park Server <2.8.3 | Software CPY Car Park Server <2.8.3 |
Vulnerabilities
Expand / Collapse allIn Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service.
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization in the backup restore function.
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a volatile temporary database with the current states of the device.
An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled.
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify users and stop services .
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers to read arbitrary files and gain full control of the device.
n Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain SuperUser access to the device.
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to execute arbitrary OS commands.
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API.
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain full access to the device.
Remediation
Please update to software/firmware versions as described below:
| Article Nr. | Product Name and Description | Fixed in version |
|---|---|---|
| UWP30RSEXXX | UWP 3.0 Monitoring Gateway and Controller | >= 8.5.0.3 (available from April 27th, 2022) |
| UWP30RSEXXXSE | UWP 3.0 Monitoring Gateway and Controller – Security Enhanced | >= 8.5.0.3 (available from April 27th, 2022) |
| UWP30RSEXXXEDP | UWP 3.0 Monitoring Gateway and Controller – EDP version | >= 8.5.0.3 (available from April 27th, 2022) |
| SBP2CPY24 | CPY Car Park Server | >= 2.8.3 (available from June 28th, 2022) |
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 26.09.2022 10:00 | Initial revision. |
| 2 | 06.11.2024 12:27 | Fix: added self-reference |
| 3 | 11.04.2025 09:00 | Fix: version range, remove Issuing authority |
| 4 | 14.05.2025 15:00 | Fix: added distribution |