Share: Email | Twitter

ID

VDE-2024-028

Published

2024-06-03 08:00 (CEST)

Last update

2024-06-03 11:00 (CEST)

Vendor(s)

ifm electronic GmbH

Product(s)

Article No° Product Name Affected Version(s)
moneo software installed on Microsoft Windows 1.13
moneo software installed on QHA210 1.13
moneo software installed on QHA300 1.13
moneo software installed on QVA200 1.13

Summary

moneo "Forgot Password" function has a vulnerability which allows gaining privileged access.

CVE ID

CVE-2024-5404 

Last Update:

Aug. 30, 2024, 9:24 a.m.

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 

Weakness

Password Recovery Mechanism for Forgotten Password  (CWE-640) 

Summary

An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.

Details

cert.vde.com 

Impact

In a moneo appliance with no mailserver configured, an unauthorized attacker can reset a password to the new user default value.

Solution

Mitigation

The correct configuration of a mail server prevents the exploitation of the vulnerability.

Remediation

Update to moneo version 1.13.5 or later.

Reported by

CERT@VDE coordinated with ifm