SB2019102507 - Multiple vulnerabilities in Rittal Chiller SK 3232-Series
Published: October 25, 2019
Security Bulletin ID
SB2019102507
Severity
High
Patch available
NO
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Missing Authentication for Critical Function (CVE-ID: CVE-2019-13549)
The vulnerability allows a remote attacker to disrupt the primary operations.
The vulnerability exists due to the authentication mechanism does not provide a sufficient level of protection against unauthorized configuration changes. A remote attacker can modify without authentication the primary operations, namely turn the cooling unit on and off and set the temperature set point.
2) Use of hard-coded credentials (CVE-ID: CVE-2019-13553)
The vulnerability allows a remote attacker to disrupt the primary operations.The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials and influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.