Multiple vulnerabilities in Econolite EOS



Published: 2023-01-27
Risk High
Patch available NO
Number of vulnerabilities 2
CVE-ID CVE-2023-0451
CVE-2023-0452
CWE-ID CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
EOS
Hardware solutions / Firmware

Vendor ECONOLITE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU71589

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2023-0451

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper password requirement for gaining "READONLY" access to log files, as well as certain database and configuration files. A remote attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

EOS: All versions

External links

http://www.cisa.gov/uscert/ics/advisories/icsa-23-026-02


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Reversible One-Way Hash

EUVDB-ID: #VU71590

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2023-0452

CWE-ID: N/A

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a weak hash algorithm for encrypting privileged user credentials. A remote attacker can access the configuration file that is accessible without authentication.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

EOS: All versions

External links

http://www.cisa.gov/uscert/ics/advisories/icsa-23-026-02


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###