Share: Email | Twitter

ID

VDE-2024-043

Published

2024-08-22 08:00 (CEST)

Last update

2024-08-21 08:34 (CEST)

Vendor(s)

Welotec GmbH

Product(s)

Article No° Product Name Affected Version(s)
WEG500100170 EG500Mk2-A11001-000101 <= v1.5.3
WEG500100290 EG500Mk2-A11001-000201 <= v1.5.3
WEG500100160 EG500Mk2-A11101-000101 <= v1.5.3
WEG500100280 EG500Mk2-A12011-000101 <= v1.5.3
WEG500100190 EG500Mk2-B11001-000101 <= v1.5.3
WEG500100180 EG500Mk2-B11101-000101 <= v1.5.3
WEG500100270 EG500Mk2-C11001-000101 <= v1.5.3
WEG500100260 EG500Mk2-C11101-000101 <= v1.5.3
WEG500100020 EG503L <= v1.5.3
WEG500100040 EG503L_4GB <= v1.5.3
WEG500100130 EG503L-G <= v1.5.3
WEG500100010 EG503W <= v1.5.3
WEG500100030 EG503W_4GB <= v1.5.3
WEG600100020 EG602L <= v1.5.3
WEG600100010 EG602W <= v1.5.3
WEG600100050 EG603L Mk2 <= v1.5.3
WEG600100040 EG603W Mk2 <= v1.5.3
WEG800100010 EG802W <= v1.5.3
WEG800100040 EG802W_i7_512GB_DinRail <= v1.5.3
WEG800100050 EG802W_i7_512GB_w/o DinRail <= v1.5.3
WEG800100020 EG804W <= v1.5.3

Summary

Products from the Edge Gateway Family are affected by recently published so called RegreSSHion vulnerability. 


Last Update:

Aug. 30, 2024, 9:21 a.m.

Weakness

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')  (CWE-362) 

Summary

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.


Impact

The vulnerability can lead to unauthenticated remote code execution.

Solution

Mitigation

Disable SSH Access via CLI Command or Config Import locally or for a centrally managed device by changing the configuration in SMART EMS
Refer to eG OS manual chapter 4.26 for further information

Remediation

Update egOS on affected products to version v1.5.4 or later

Reported by

Reported by Qualys Threat Research Unit (TRU)
CERT@VDE coordinated with Welotec GmbH