Share: Email | Twitter

ID

VDE-2022-029

Published

2022-09-26 10:00 (CEST)

Last update

2022-09-26 12:00 (CEST)

Vendor(s)

Carlo Gavazzi Controls SpA

Product(s)

Article No° Product Name Affected Version(s)
SBP2CPY24 CPY Car Park Server < 2.8.3
UWP30RSEXXX UWP 3.0 Monitoring Gateway and Controller < 8.5.0.3
UWP30RSEXXXEDP UWP 3.0 Monitoring Gateway and Controller – EDP version < 8.5.0.3
UWP30RSEXXXSE UWP 3.0 Monitoring Gateway and Controller – Security Enhanced < 8.5.0.3

Summary

The UWP 3.0 family of Monitoring Gateways and Controllers and the CPY Car Park Server are affected by multiple vulnerabilities in their set-up software, runtime firmware, embedded Web interface.

Vulnerabilities



Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Use of Hard-coded Credentials (CWE-798)
Summary
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain full access to the device.
Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Missing Authentication for Critical Function (CWE-306)
Summary
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API.
Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Improper Neutralization of Special Elements used in an OS Command ("OS Command Injection") (CWE-78)
Summary
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to execute arbitrary OS commands.
Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Use of Hard-coded Credentials (CWE-798)
Summary
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain SuperUser access to the device.
Last Update
Sept. 26, 2022, 8:39 a.m.
Weakness
Relative Path Traversal (CWE-23)
Summary

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers to read arbitrary files and gain full control of the device.

Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") (CWE-89)
Summary
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify users and stop services .
Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Improper Authentication (CWE-287)
Summary
An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled.
Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) (CWE-89)
Summary
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a volatile temporary database with the current states of the device.
Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Improper Input Validation (CWE-20)
Summary
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization in the backup restore function
Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") (CWE-79)
Summary
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.
Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") (CWE-89)
Summary
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service.

Impact

An attacker can get full access to the affected devices. See the vulnerability descriptions for details.

Solution

General recommendations

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control system network from other networks
  • Use VPN (Virtual Private Networks) tunnels if remote access is required
  • Activate and apply user management and password features
  • Use encrypted communication links
  • Limit the access to both set-up and control system by physical means, operating system features, etc.
  • Protect the set-up and control system by using up to date virus detecting solutions

Remediation

Please update to software/firmware versions as described below:

Article Nr. Product Name and Description Fixed in version
UWP30RSEXXX UWP 3.0 Monitoring Gateway and Controller >= 8.5.0.3
available from April 27th,2022
UWP30RSEXXXSE UWP 3.0 Monitoring Gateway and Controller – Security
Enhanced
UWP30RSEXXXEDP UWP 3.0 Monitoring Gateway and Controller – EDP version
SBP2CPY24 CPY Car Park Server >= 2.8.3
available from June 28th,2022

Reported by

Carlo Gavazzi thanks the following parties for their efforts:

  • CERT@VDE for coordination and support with this publication
  • Vera Mens from Claroty Research for reporting to CERT@VDE