Incorrect permission assignment for critical resource in Phoenix Contact Emalytics Controller ILC 2050 BI and BI-L

Published: 2020-02-18

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2020-8768
CWE-ID	CWE-732
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Emalytics Controller ILC 2050 BI Hardware solutions / Other hardware appliances Emalytics Controller ILC 2050 BI-L Hardware solutions / Other hardware appliances
Vendor	Phoenix Contact GmbH

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Incorrect permission assignment for critical resource

EUVDB-ID: #VU25418

Risk: High

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-8768

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to unintended functionality on the target system.

The vulnerability exists due to an insecure mechanism for read and write access to the configuration of the device. A remote attacker can examine a link on the website of the device, discover this mechanism, change the device configuration and start or stop services.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Emalytics Controller ILC 2050 BI: before 1.2.3

Emalytics Controller ILC 2050 BI-L: before 1.2.3

CPE2.3

External links

https://cert.vde.com/de-de/advisories/vde-2020-001

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.