Incorrect permission assignment for critical resource in Phoenix Contact Emalytics Controller ILC 2050 BI and BI-L



Published: 2020-02-18
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-8768
CWE-ID CWE-732
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Emalytics Controller ILC 2050 BI
Hardware solutions / Other hardware appliances

Emalytics Controller ILC 2050 BI-L
Hardware solutions / Other hardware appliances

Vendor Phoenix Contact GmbH

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Incorrect permission assignment for critical resource

EUVDB-ID: #VU25418

Risk: High

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8768

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to unintended functionality on the target system.

The vulnerability exists due to an insecure mechanism for read and write access to the configuration of the device. A remote attacker can examine a link on the website of the device, discover this mechanism, change the device configuration and start or stop services.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Emalytics Controller ILC 2050 BI: before 1.2.3

Emalytics Controller ILC 2050 BI-L: before 1.2.3

External links

http://cert.vde.com/de-de/advisories/vde-2020-001


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###