VDE-2022-050 | CERT@VDE

2022-12-12 12:00 (CET) VDE-2022-050

IFM: weak password recovery vulnerability in moneo appliance

Share: Email | Twitter

ID

VDE-2022-050

Published

2022-12-12 12:00 (CET)

Last update

2022-12-12 12:38 (CET)

Vendor(s)

ifm electronic GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
QHA200	moneo appliance	<= 1.9.3
QHA210	moneo appliance	<= 1.9.3

Summary

An unauthenticated remote attacker could reset the administrator's password with information from the default, self-signed certificate.

CVE ID

CVE-2022-3485

Last Update:

Dec. 12, 2022, 12:38 p.m.

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness

Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

Summary

In ifm moneo appliance with version up to 1.9.3 an unauthenticated remote attacker can reset the administrator password by only supplying the serial number.

Details

nvd.nist.gov

Impact

An unathenticated attacker can remotely reset the administrator password.

Solution

Mitigation

The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number.

Remediation

The password-reset mechanism will be updated in a future version.

When using automation components, make sure that no unauthorized access can take place. In addition, measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.

Reported by

CERT@VDE coordinated with IFM.
Aimon Dawson for reporting to IFM.