CVE-2020-8809

Name of the Vulnerable Software and Affected Versions Gurux GXDLMS Director versions prior to 8.5.1905.1301

Description The issue allows a man-in-the-middle attacker to modify the contents of gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml, prompting the user to download updates over an unencrypted HTTP connection. This can lead to code execution, either directly through add-ins if used, or through OBIS codes, which are necessary for communication with energy meters.

Recommendations For versions prior to 8.5.1905.1301, update to version 8.5.1905.1301 or later to resolve the issue. As a temporary workaround, consider restricting access to the gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml files to minimize the risk of exploitation. Avoid using unencrypted HTTP connections for downloading updates until the issue is resolved.