|<= 4.1 SP5
PACTware passwords are stored in a recoverable format (CVE-2020-9403)
PACTware passwords may be modified without knowing the current password (CVE-2020-9404)
PACTware supports ‘user roles’, which limit user access according to FDT Guide- lines. By default, no passwords are set and the default user has the user role ‘admin’ with no limitations.
If the user enables role access control, each role may be protected with an indi- vidual password.
These settings could be changed by a local user without any verification. This means a local user may modify role enablement, and role passwords, without authenticating first. (CVE-2020-9404)
The settings can be read by a local user with no verification. It is possible to recover passwords for the roles, if passwords were previously set. (CVE-2020-9403)
If the user has not enabled individual roles, an attacker may enable the roles and assign passwords to them. This could block legitimate users from using the software.
PACTware will protect the manipulation of stored passwords by using a salted mechanism of password encryption with an additional SHA256 hash. (CVE-2020-9403)
Any further changes in ‘user role’-administration will need a confirmation by using the current login password. (CVE-2020-9404)
This will be fixed in following versions (and higher):
Overview about version history: https://pactware.com/de/service
You can protect yourself against manipulation by restricting the access to the PC where PACTware is installed.
In case of not known passwords it can be reset by reinstallation of PACTware (all PACTware versions).
Reid Wightman from Dragos, Inc
Coordinated by CERT@VDE and BSI