Headline
CVE-2019-12254: VDE-2019-012 | CERT@VDE
In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn’t properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
2019-06-04 15:21 (CEST) VDE-2019-012
TECSON/GOK: Improper Authentication and Access Control on multiple devices
Share: Email | Twitter
Published
2019-06-04 15:21 (CEST)
Last update
2019-06-04 15:21 (CEST)
Product(s)
Article No°
Product Name
Affected Version(s)
e-litro net
all versions
LX-Net
all versions
LX-Q-Net
all versions
SmartBox 4 LAN
all versions
SmartBox 4 LAN PRO
all versions
Summary
A security researcher discovered that the affected application doesn’t properly restrict access to an endpoint that is responsible for saving settings, to a user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
CVE ID
Severity
Weakness
Improper Authentication and Access Control (CWE-287)
Summary
A security researcher discovered that the affected application doesn’t properly restrict access to an endpoint that is responsible for saving settings, to a user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
Source
Impact
This issue allows changing the configuration and get full access to the web-based configuration interface of the device wich includes all settings like passwords, alerting parameters and output states. That can adversely affect the planned operation of the equipment or can aid in further attacks on the industrial control process.
Solution
Temporary Fix / Mitigation
In secure environments disable port forwarding and remote access to the device otherwise disable network access completely.
Reported by
Maxim Rupp (rupp.it) reported this vulnerability to CERT@VDE.
CERT@VDE coordinated with TECSON.