PEPPERL+FUCHS, PACTware: Two password vulnerabilities found

The software product PACTware is a manufacturer and fieldbus- independent operating software for all field devices and protocols. PACTware Consortium is aware of a vulnerability in the PACTware Software product.

VDE-2020-017 (2020-05-29 12:00 UTC+0200)

Affected Vendors

PACTware, Pepperl+Fuchs

Affected Products

  • PACTware 5.0.4.xx and lower
  • PACTware 4.1 SP5 and lower
  • PACTware 3.X and lower
  • PACTware 2.4 and lower

Vulnerability Type

Unverified Password Change (CWE-620)

Summary

  1. PACTware passwords are stored in a recoverable format (CVE-2020-9403)
    • CVSS: 5.5 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
    • CWE: Storing Passwords in a Recoverable Format (CWE-257)
  2. PACTware passwords may be modified without knowing the current password (CVE-2020-9404)
    • CVSS: 7.1 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
    • CWE: Unverified Password Change (CWE-620)

Impact

PACTware supports ‘user roles’, which limit user access according to FDT Guide- lines. By default, no passwords are set and the default user has the user role ‘admin’ with no limitations.
If the user enables role access control, each role may be protected with an indi- vidual password.
These settings could be changed by a local user without any verification. This means a local user may modify role enablement, and role passwords, without authenticating first. (CVE-2020-9404)
The settings can be read by a local user with no verification. It is possible to recover passwords for the roles, if passwords were previously set. (CVE-2020-9403)
If the user has not enabled individual roles, an attacker may enable the roles and assign passwords to them. This could block legitimate users from using the software.

Solution

PACTware will protect the manipulation of stored passwords by using a salted mechanism of password encryption with an additional SHA256 hash. (CVE-2020-9403)
Any further changes in ‘user role’-administration will need a confirmation by using the current login password. (CVE-2020-9404)

This will be fixed in following versions (and higher)

PACTware 5.0.5.31
PACTware 4.1 SP6
Overview about version history: https://pactware.com/de/service
You can protect yourself against manipulation by restricting the access to the PC where PACTware is installed.
In case of not known passwords it can be reset by reinstallation of PACTware (all PACTware versions).

Reported by

Reid Wightman from Dragos, Inc 
coordinated by CERT@VDE and BSI