Hetronic has new firmware to handle an authentication bypass by capture replay vulnerability in its Nova-M, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by Jonathan Andersson, Philippe Z Lin, Akira Urano, Marco Balduzzi, Federico Maggi, Stephen Hilt, and Rainer Vosseler working with Trend Micro’s Zero Day Initiative, could allow unauthorized users to view commands, replay commands, control the device, or stop the device from running.
The following versions of Hetronic remote control transmitters and receivers suffer from the vulnerability:
• Nova-M: All versions prior to r161
• ES-CAN-HL: All versions prior to Main r1864, Estop_v24
• BMS-HL: All versions prior to Main r1175, Estop_v24
• MLC: All versions prior to Main r1600, Estop_v24
• DC Mobile: All versions prior to Main r515, Estop_v24
In the vulnerability, these devices use fixed codes that are reproducible by sniffing and re-transmission. This can lead to unauthorized replay of a command, spoofing of an arbitrary message, or keeping the controlled load in a permanent “stop” state.
CVE-2018-19023 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.6.
The product sees use in multiple manufacturing sectors and it sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Hetronic recommends all Nova-M users update their radio transmitters to firmware version r161 and their receivers to the following versions:
• ES-CAN-HL: Main r1864, Estop_v24
• BMS-HL: Main r1175, Estop_v24
• MLC: Main r1600, Estop_v24
• DC Mobile: Main r515, Estop_v24
The new firmware patches can be obtained free of charge by signing in to the Hetronic website portal or by bringing the transmitter and receiver to any Hetronic service center. Click here for a list of service centers.