#VU25418 Incorrect permission assignment for critical resource in Emalytics Controller ILC 2050 BI and Emalytics Controller ILC 2050 BI-L - CVE-2020-8768

Cybersecurity Help s.r.o.

Published: 2020-02-18

Vulnerability identifier: #VU25418

Vulnerability risk: High

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-8768

CWE-ID: CWE-732

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Emalytics Controller ILC 2050 BI
Hardware solutions / Other hardware appliances
Emalytics Controller ILC 2050 BI-L
Hardware solutions / Other hardware appliances

Vendor: Phoenix Contact GmbH

Description

The vulnerability allows a remote attacker to gain access to unintended functionality on the target system.

The vulnerability exists due to an insecure mechanism for read and write access to the configuration of the device. A remote attacker can examine a link on the website of the device, discover this mechanism, change the device configuration and start or stop services.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Emalytics Controller ILC 2050 BI: before 1.2.3

Emalytics Controller ILC 2050 BI-L: before 1.2.3

External links
https://cert.vde.com/de-de/advisories/vde-2020-001

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Incorrect permission assignment for critical resource in Phoenix Contact Emalytics Controller ILC 2050 BI and BI-L