| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 58665 | Com-Server ++ | < 1.55 |
| 58664 | Com-Server 20mA | < 1.55 |
| 58651 | Com-Server Highspeed 100BaseFX | < 1.78 |
| 58652 | Com-Server Highspeed 100BaseLX | < 1.78 |
| 58331 | Com-Server Highspeed 19" 1Port | < 1.78 |
| 58334 | Com-Server Highspeed 19" 4Port | < 1.78 |
| 58231 | Com-Server Highspeed Compact | < 1.78 |
| 58631 | Com-Server Highspeed Industry | < 1.78 |
| 58633 | Com-Server Highspeed Isolated | < 1.78 |
| 58431 | Com-Server Highspeed OEM | < 1.78 |
| 58031 | Com-Server Highspeed Office 1 Port | < 1.78 |
| 58034 | Com-Server Highspeed Office 4 Port | < 1.78 |
| 58641 | Com-Server Highspeed PoE | < 1.78 |
| 58661 | Com-Server LC | < 1.55 |
| 58662 | Com-Server PoE 3 x Isolated | < 1.55 |
| 58669 | Com-Server UL | < 1.55 |
Multiple Wiesemann & Theis product families are affected by a vulnerability in the web interface. The device allows an unauthenticated attacker to get the session ID of a logged in user. He may then spoof his IP address to act as the logged in user.
Multiple Wiesemann&Theis products of the ComServer Series are prone to an authentication bypass through IP spoofing. During an authenticated session to the WBM of the Com-Server an unauthenticated attacker in the same subnet can obtain the session ID and change arbitrary settings by crafting modified HTTP Get requests. This may result in a complete takeover of the device.
The attacker can set all settings and take over the device completely.
CERT@VDE coordinated with Wiesemann & Theis
Wiesemann & Theis would like to thank Martin Weiß for responsibly disclosing this vulnerability.