Gerhard Hechenberger

Name of the Vulnerable Software and Affected Versions: CPCI85 Central Processing/Communication versions prior to V05.30 Description: A vulnerability has been identified in the CPCI85 Central Processing/Communication devices. The affected devices contain a secure element connected via an unencrypted SPI bus. This could allow an attacker with physical access to the SPI bus to observe the password used for the secure element authentication, and then use the secure element as an oracle to decrypt all encrypted update files. Recommendations: For versions prior to V05.30, consider restricting physical access to the SPI bus as a temporary mitigation measure until a patch is available. Additionally, avoid using the secure element for authentication until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CPCI85 Central Processing/Communication versions prior to V5.40 SICORE Base system versions prior to V1.4.0 Description: A vulnerability has been identified that allows a remote authenticated user or an unauthenticated user with physical access to downgrade the firmware of the device. This could allow an attacker to downgrade the device to older versions with known vulnerabilities. The issue is related to the lack of authentication for a critical function, which can be exploited by a remote attacker to lower the device's firmware version. Recommendations: For CPCI85 Central Processing/Communication versions prior to V5.40, update to version V5.40 or later to resolve the issue. For SICORE Base system versions prior to V1.4.0, update to version V1.4.0 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the devices and limiting remote access to authenticated users only until a patch is applied.

Name of the Vulnerable Software and Affected Versions: OPUPI0 AMQP/MQTT versions prior to V5.30 Description: A vulnerability has been identified that allows an attacker with remote shell access or physical access to retrieve credentials due to insufficient protection of stored MQTT client passwords, leading to confidentiality loss. The issue is related to the storage of confidential information without encryption. Recommendations: For versions prior to V5.30, update to version V5.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the device to minimize the risk of exploitation. Avoid using the device until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: CPCI85 Central Processing/Communication versions prior to V5.30 SICORE Base system versions prior to V1.3.0 Description: A command injection vulnerability exists due to missing server-side input sanitation in the web interface of affected devices. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. Recommendations: For CPCI85 Central Processing/Communication versions prior to V5.30, update to version V5.30 or later. For SICORE Base system versions prior to V1.3.0, update to version V1.3.0 or later. As a temporary workaround, consider restricting access to the web interface of affected devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** A vulnerability has been identified in the web interface of affected devices due to missing server-side input sanitation, making it vulnerable to command injection. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. As a temporary workaround, consider restricting access to the web interface of affected devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** A vulnerability has been identified that involves the use of hard-coded credentials in the firmware of the affected devices. This could allow an attacker with direct physical access to exploit the vulnerability for UART console login to the device, potentially leading to privilege escalation. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the devices until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** A vulnerability has been identified that involves an exposed UART console login interface. This issue could allow an attacker with direct physical access to attempt bruteforcing or cracking the root password to gain login access to the device. The vulnerability is related to the web server software of the Siemens SICAM processor control modules, specifically affecting the CP-8031 and CP-8050 models. Exploitation of this vulnerability may enable an attacker to elevate their privileges to the root level. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, consider restricting physical access to the device to prevent potential bruteforcing or password cracking attempts until a patch or update is available. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, consider restricting physical access to the device to prevent potential bruteforcing or password cracking attempts until a patch or update is available. As a temporary workaround, consider disabling the UART console login interface on both CP-8031 and CP-8050 MASTER MODULEs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** The issue is related to insufficient argument checking in the web server of the Siemens SICAM CP-8031 and CP-8050 processor control modules. This can be exploited by a remote attacker to execute arbitrary commands via the web server port 443/tcp if the `Remote Operation` parameter is enabled. By default, the `Remote Operation` parameter is disabled. The vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. As a temporary workaround, consider disabling the `Remote Operation` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Connected Vehicle Systems Alliance (COVESA) dlt-daemon versions 2.18.8 and earlier **Description** An issue was discovered due to a faulty DLT file parser, allowing a crafted DLT file to crash the process. This is caused by missing validation checks, resulting in a heap-based buffer over-read of one byte. **Recommendations** For versions 2.18.8 and earlier, update to a version later than 2.18.8 to resolve the issue. As a temporary workaround, consider validating DLT files before processing them to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Connected Vehicle Systems Alliance (COVESA) dlt-daemon versions through 2.18.8 **Description** An issue was discovered due to a faulty DLT file parser, allowing a crafted DLT file to crash the process. This is caused by missing validation checks, resulting in a NULL pointer dereference. **Recommendations** For versions through 2.18.8, consider disabling the DLT file parser functionality until a patch is available to prevent potential crashes due to crafted DLT files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gentics CMS versions prior to 5.43.1 **Description** An issue was discovered that allows an attacker to deserialize arbitrary data by uploading a malicious ZIP file, potentially achieving Java code execution. **Recommendations** For versions prior to 5.43.1, update to version 5.43.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Gentics CMS versions prior to 5.43.1 **Description** The issue concerns stored XSS in the profile description and in the username. **Recommendations** For versions prior to 5.43.1, update to version 5.43.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SICAM A8000 CP-8031 versions prior to V4.80 SICAM A8000 CP-8050 versions prior to V4.80 **Description** A vulnerability has been identified that allows unauthenticated attackers to access certain files without requiring user authentication. This could enable remote attackers to read arbitrary files. **Recommendations** For SICAM A8000 CP-8031 versions prior to V4.80, update to version V4.80 or later to resolve the issue. For SICAM A8000 CP-8050 versions prior to V4.80, update to version V4.80 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Cisco IP Phone (affected versions not specified) **Description** A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This issue is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT versions prior to V2.4.7.56 Description: The issue allows unauthenticated crafted invalid requests to result in several denial-of-service conditions. This can cause running PLC programs to be stopped, memory to be leaked, or further communication clients to be blocked from accessing the PLC. Recommendations: For versions prior to V2.4.7.56, update to version V2.4.7.56 or later to resolve the issue. As a temporary workaround, consider restricting access to the system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NetModule NB800 versions prior to 4.3.0.113 NetModule NB1600 versions prior to 4.4.0.111 NetModule NB1601 versions prior to 4.4.0.111 NetModule NB1800 versions prior to 4.4.0.111 NetModule NB1810 versions prior to 4.4.0.111 NetModule NB2700 versions prior to 4.5.0.105 NetModule NB2710 versions prior to 4.5.0.105 NetModule NB2800 versions prior to 4.5.0.105 NetModule NB2810 versions prior to 4.5.0.105 NetModule NB3700 versions prior to 4.5.0.105 NetModule NB3701 versions prior to 4.5.0.105 NetModule NB3710 versions prior to 4.5.0.105 NetModule NB3711 versions prior to 4.5.0.105 NetModule NB3720 versions prior to 4.5.0.105 NetModule NB3800 versions prior to 4.5.0.105 **Description** Certain NetModule devices allow credentials via GET parameters to CLI-PHP. The affected models include NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800. **Recommendations** For NetModule NB800 version prior to 4.3.0.113, update to version 4.3.0.113 or later. For NetModule NB1600 version prior to 4.4.0.111, update to version 4.4.0.111 or later. For NetModule NB1601 version prior to 4.4.0.111, update to version 4.4.0.111 or later. For NetModule NB1800 version prior to 4.4.0.111, update to version 4.4.0.111 or later. For NetModule NB1810 version prior to 4.4.0.111, update to version 4.4.0.111 or later. For NetModule NB2700 version prior to 4.5.0.105, update to version 4.5.0.105 or later. For NetModule NB2710 version prior to 4.5.0.105, update to version 4.5.0.105 or later. For NetModule NB2800 version prior to 4.5.0.105, update to version 4.5.0.105 or later. For NetModule NB2810 version prior to 4.5.0.105, update to version 4.5.0.105 or later. For NetModule NB3700 version prior to 4.5.0.105, update to version 4.5.0.105 or later. For NetModule NB3701 version prior to 4.5.0.105, update to version 4.5.0.105 or later. For NetModule NB3710 version prior to 4.5.0.105, update to version 4.5.0.105 or later. For NetModule NB3711 version prior to 4.5.0.105, update to version 4.5.0.105 or later. For NetModule NB3720 version prior to 4.5.0.105, update to version 4.5.0.105 or later. For NetModule NB3800 version prior to 4.5.0.105, update to version 4.5.0.105 or later.

**Name of the Vulnerable Software and Affected Versions** NetModule NB800 versions prior to 4.3.0.113 NetModule NB1600 versions prior to 4.4.0.111 NetModule NB1601 versions prior to 4.4.0.111 NetModule NB1800 versions prior to 4.4.0.111 NetModule NB1810 versions prior to 4.4.0.111 NetModule NB2700 versions prior to 4.5.0.105 NetModule NB2710 versions prior to 4.5.0.105 NetModule NB2800 versions prior to 4.5.0.105 NetModule NB2810 versions prior to 4.5.0.105 NetModule NB3700 versions prior to 4.5.0.105 NetModule NB3701 versions prior to 4.5.0.105 NetModule NB3710 versions prior to 4.5.0.105 NetModule NB3711 versions prior to 4.5.0.105 NetModule NB3720 versions prior to 4.5.0.105 NetModule NB3800 versions prior to 4.5.0.105 **Description** The issue allows Limited Session Fixation via `PHPSESSID`. This can affect certain NetModule devices. **Recommendations** For NetModule NB800 version prior to 4.3.0.113, update to version 4.3.0.113 or later. For NetModule NB1600, NB1601, NB1800, and NB1810 versions prior to 4.4.0.111, update to version 4.4.0.111 or later. For NetModule NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800 versions prior to 4.5.0.105, update to version 4.5.0.105 or later. As a temporary workaround, consider restricting access to the `PHPSESSID` session identifier until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NetModule NB800 versions prior to 4.3.0.113 NetModule NB1600 versions prior to 4.3.0.113 NetModule NB1601 versions prior to 4.3.0.113 NetModule NB1800 versions prior to 4.3.0.113 NetModule NB1810 versions prior to 4.3.0.113 NetModule NB2700 versions prior to 4.3.0.113 NetModule NB2710 versions prior to 4.3.0.113 NetModule NB2800 versions prior to 4.4.0.111 NetModule NB2810 versions prior to 4.4.0.111 NetModule NB3700 versions prior to 4.5.0.105 NetModule NB3701 versions prior to 4.5.0.105 NetModule NB3710 versions prior to 4.5.0.105 NetModule NB3711 versions prior to 4.5.0.105 NetModule NB3720 versions prior to 4.5.0.105 NetModule NB3800 versions prior to 4.5.0.105 **Description** The issue concerns insecure password handling, where passwords are stored in cleartext or reversible encryption. This affects various NetModule devices with firmware versions before specific updates. **Recommendations** For NetModule NB800, update to firmware version 4.3.0.113 or later. For NetModule NB1600, update to firmware version 4.3.0.113 or later. For NetModule NB1601, update to firmware version 4.3.0.113 or later. For NetModule NB1800, update to firmware version 4.3.0.113 or later. For NetModule NB1810, update to firmware version 4.3.0.113 or later. For NetModule NB2700, update to firmware version 4.3.0.113 or later. For NetModule NB2710, update to firmware version 4.3.0.113 or later. For NetModule NB2800, update to firmware version 4.4.0.111 or later. For NetModule NB2810, update to firmware version 4.4.0.111 or later. For NetModule NB3700, update to firmware version 4.5.0.105 or later. For NetModule NB3701, update to firmware version 4.5.0.105 or later. For NetModule NB3710, update to firmware version 4.5.0.105 or later. For NetModule NB3711, update to firmware version 4.5.0.105 or later. For NetModule NB3720, update to firmware version 4.5.0.105 or later. For NetModule NB3800, update to firmware version 4.5.0.105 or later.