Headline
CVE-2023-5500: VDE-2023-049 | CERT@VDE
This vulnerability allows an remote attacker with low privileges to misuse Improper Control of Generation of Code (‘Code Injection’) to gain full control of the affected device.
2023-12-11 08:00 (CET) VDE-2023-049
Frauscher: FDS102 for FAdC/FAdCi remote code execution vulnerability
Share: Email | Twitter
Published
2023-12-11 08:00 (CET)
Last update
2023-11-09 12:04 (CET)
Vendor(s)
Frauscher Sensortechnik GmbH
Product(s)
Article No°
Product Name
Affected Version(s)
-
FDS102 for FAdC/FAdCi
2.10.0 <= 2.10.1
Summary
Frauscher Sensortechnik GmbH FDS102 for FAdC/FAdCi v2.10.1 is vulnerable to a remote code execution (RCE) vulnerability via manipulated parameters of the web interface by using an authenticated session cookie.
CVE ID
Last Update:
Nov. 8, 2023, 11:55 a.m.
Severity
Weakness
Improper Control of Generation of Code (‘Code Injection’) (CWE-94)
Summary
This vulnerability allows an remote attacker with low privileges to misuse Improper Control of Generation of Code (‘Code Injection’) to gain full control of the affected device.
Details
Impact
This vulnerability may lead to a full compromise of the FDS102 device.
Solution
Mitigation
Security-related application conditions SecRAC
The railway operator must ensure that only authorised personnel or people in the company of authorised personnel have access to the Frauscher Diagnostic System FDS102.
The recommendation is to connect the Frauscher Diagnostic System FDS102 to a network of category 2. If the Frauscher Diagnostic System FDS102 is connected to a network of category 3 (according to EN 50159:2010), then additional protective measures must be added.
Remediation
Update to FDS102 v2.10.2 or higher
Reported by
CERT@VDE coordinated with Frauscher Sensortechnik GmbH