Share: Email | Twitter

ID

VDE-2020-017

Published

2020-05-29 12:00 (CEST)

Last update

2020-05-29 12:00 (CEST)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No° Product Name Affected Version(s)
PACTware <= 5.0.4.xx
PACTware <= 4.1 SP5
PACTware <= 3.x
PACTware <= 2.4

Summary

PACTware passwords are stored in a recoverable format (CVE-2020-9403)

PACTware passwords may be modified without knowing the current password (CVE-2020-9404)

Vulnerabilities



Weakness
Unverified Password Change (CWE-620)
Summary

PACTware passwords may be modified without knowing the current password

Weakness
Storing Passwords in a Recoverable Format (CWE-257)
Summary

PACTware passwords are stored in a recoverable format

Impact

PACTware supports ‘user roles’, which limit user access according to FDT Guide- lines. By default, no passwords are set and the default user has the user role ‘admin’ with no limitations.
If the user enables role access control, each role may be protected with an indi- vidual password.
These settings could be changed by a local user without any verification. This means a local user may modify role enablement, and role passwords, without authenticating first. (CVE-2020-9404)
The settings can be read by a local user with no verification. It is possible to recover passwords for the roles, if passwords were previously set. (CVE-2020-9403)
If the user has not enabled individual roles, an attacker may enable the roles and assign passwords to them. This could block legitimate users from using the software.

Solution

PACTware will protect the manipulation of stored passwords by using a salted mechanism of password encryption with an additional SHA256 hash. (CVE-2020-9403)
Any further changes in ‘user role’-administration will need a confirmation by using the current login password. (CVE-2020-9404)

This will be fixed in following versions (and higher):

  • PACTware 5.0.5.31
  • PACTware 4.1 SP6

Overview about version history: https://pactware.com/de/service
You can protect yourself against manipulation by restricting the access to the PC where PACTware is installed.
In case of not known passwords it can be reset by reinstallation of PACTware (all PACTware versions).

Reported by

Reid Wightman from Dragos, Inc
Coordinated by CERT@VDE and BSI