Kunbus has an updated fix for improper authentication, information exposure through query strings in GET request, missing authentication for critical function, improper input validation, and cleartext storage of sensitive information in its PR100088 Modbus gateway, according to a report with NCCIC.
Successful exploitation of these remotely exploitable vulnerabilities, discovered by Nicolas Merle of Applied Risk, could allow an attacker to achieve remote code execution and/or cause a denial-of-service condition.
PR100088 Modbus gateway: All versions prior to Release R02 (or Software Version 1.1.13166) suffer from the issues.
In one vulnerability, an attacker may be able change the password for an admin user who is currently or previously logged in, provided the device has not been restarted.
CVE-2019-6527 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.6.
In addition, registers used to store Modbus values can be read and written from the web interface without authentication.
CVE-2019-6533 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.
Also, an attacker could specially craft an FTP request that could crash the device.
CVE-2019-6529 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.9.
In addition, an attacker could retrieve passwords from a HTTP GET request if the attacker is in an MitM position.
CVE-2019-6531 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
Also, an attacker could retrieve plain-text credentials stored in a XML file through FTP.
CVE-2019-6549 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.2.
The product sees use mainly in the communication sector. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Germany-based Kunbus recommends the following:
• Update to Version R02; installation instructions can be found in the readme file included in the download.
• CVE-2019-6531 and CVE-2019-6549 will be mitigated in Version R03. The expected release is at the end of February 2019.
• These devices are not intended to be used in a public network. Rather, these devices are intended for use in an industrial environment with a protected network architecture.