Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-47553: Multiple Vulnerabilities Ormazabal Products | INCIBE-CERT

** UNSUPPPORTED WHEN ASSIGNED ** Incorrect authorisation in ekorCCP and ekorRCI, which could allow a remote attacker to obtain resources with sensitive information for the organisation, without being authenticated within the web server.

CVE
#csrf#vulnerability#web#dos#git#backdoor#perl#auth

Affected Resources

Firmware version 601j of the following devices:

  • ekorCCP,
  • ekorRCI.

Description

INCIBE has coordinated the publication of 10 vulnerabilities in Ormazabal’s ekorCCP and ekorRCI industrial devices., which have been discovered by the S21sec Industrial Cybersecurity team, special mention to Jacinto Moral Matellán.

These vulnerabilities have been assigned the following codes:

  • CVE-2022-47553:
    • CVSS v3.1 base score: 8,6.
    • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N.
    • Vulnerability type: CWE-285: Improper Authorization.
  • CVE-2022-47554:
    • CVSS v3.1 base score: 8,2.
    • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N.
    • Vulnerability type: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
  • CVE-2022-47555:
    • CVSS v3.1 base score: 9,3.
    • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N.
    • Vulnerability type: CWE-78: Improper Neutralization of Special Elements used in an OS Command.
  • CVE-2022-47556:
    • CVSS v3.1 base score: 6,5.
    • CVSS vector string: AV:N/AC:L/PR:L /UI:N/S:U/C:N/I:N/A:H.
    • Vulnerability type: CWE-400: Uncontrolled Resource Consumption.
  • CVE-2022-47557:
    • CVSS v3.1 base score: 6,1.
    • CVSS vector string: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N.
    • Vulnerability type: CWE-916: Use of Password Hash With Insufficient Computational Effort.
  • CVE-2022-47558:
    • CVSS v3.1 base score: 9,4.
    • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L.
    • Vulnerability type: CWE-284: Improper Access Control.
  • CVE-2022-47559:
    • CVSS v3.1 base score: 8,6.
    • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L.
    • Vulnerability type: CWE-352: Cross-Site Request Forgery (CSRF).
  • CVE-2022-47560:
    • CVSS v3.1 base score: 5,7.
    • CVSS vector string: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.
    • Vulnerability type: CWE-319: Cleartext Transmission of Sensitive Information.
  • CVE-2022-47561:
    • CVSS v3.1 base score: 7,3.
    • CVSS vector string: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L.
    • Vulnerability type: CWE-256: Unprotected Storage of Credentials.
  • CVE-2022-47562:
    • CVSS v3.1 base score: 7,5.
    • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
    • Vulnerability type: CWE-770: Allocation of Resources Without Limits or Throttling.

Solution

The affected devices are at the end of their life cycle. Ormazabal recommends upgrading to updated models.

Detail

Vulnerabilities affecting both ekorCCP and ekorRCI:

  • CVE-2022-47553: incorrect authorisation, which could allow a remote attacker to obtain resources with sensitive information for the organisation, without being authenticated within the web server…
  • CVE-2022-47554: exposure of sensitive information, potentially allowing a remote attacker to obtain critical information from various .xml files, including .xml files containing credentials, without being authenticated within the web server.
  • CVE-2022-47555: operating system command injection, which could allow an authenticated attacker to execute commands, create new users with elevated privileges or set up a backdoor.
  • CVE-2022-47557: vulnerability that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions.
  • CVE-2022-47558: devices are vulnerable due to access to the FTP service using default credentials. Exploitation of this vulnerability can allow an attacker to modify critical files that could allow the creation of new users, delete or modify existing users, modify configuration files, install rootkits or backdoors.
  • CVE-2022-47559: lack of device control over web requests, allowing an attacker to create customised requests to execute malicious actions when a user is logged in, affecting availability, privacy and integrity.

Vulnerabilities affecting only ekorRCI:

  • CVE-2022-47556: uncontrolled resource consumption, allowing an attacker with low-privileged access to the web server to send continuous legitimate web requests to a functionality that is not properly validated, in order to cause a denial of service (DoS) on the device.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907