VDE-2020-016 | CERT@VDE

2020-05-28 15:00 (CEST) VDE-2020-016

SWARCO: Critical Vulnerability in CPU LS4000

Share: Email | Twitter

ID

VDE-2020-016

Published

2020-05-28 15:00 (CEST)

Last update

2022-03-01 11:07 (CET)

Vendor(s)

SWARCO TRAFFIC SYSTEMS GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	CPU LS4000	G4*

Summary

An open port used for debugging grants root access to the device without access control via network.

CVE ID

CVE-2020-12493

Last Update:

June 26, 2020, 1:06 p.m.

Severity

10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Weakness

Improper Access Control (CWE-284)

Summary

An open port used for debugging in SWARCOs CPU LS4000 Series with versions starting with G4... grants root access to the device without access control via network. A malicious user could use this vulnerability to get access to the device and disturb operations with connected devices.

Details

nvd.nist.gov

Impact

A malicious user could use this vulnerability to get access to the device and disturb operations with connected devices.

Solution

SWARCO TRAFFIC SYSTEMS released a patch to fix the vulnerability and close the port. Please contact your SWARCO TRAFFIC SYSTEMS contact person for further information.

Reported by

Martin Aman (ProtectEM) reported this vulnerability.
Coordinated by CERT@VDE.