Share: Email | Twitter

ID

VDE-2020-043

Published

2020-10-16 08:54 (CEST)

Last update

2020-10-16 08:54 (CEST)

Vendor(s)

Bender GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
B95061060 COM465DP < 4.2.0
B95061061 COM465DP < 4.2.0
B95061070 COM465ID < 4.2.0
B95061065 COM465IP < 4.2.0
B95061066 COM465IP < 4.2.0
B95061030 CP700 < 4.2.0
B95061080 CP907 < 4.2.0
B95061081 CP915 < 4.2.0
B95061085 CP915 < 4.2.0
B95061092 CP915 < 4.2.0

Summary

Bender is publishing this advisory to inform customers about a security vulnerability in all devices running the COMTRAXX software.

The user authorization is validated for most, but not all routes in the system. A user with knowledge about the routes can read and write configuration data without prior authorization.


Weakness

Missing Authorization  (CWE-862) 

Summary

In Bender COMTRAXX, user authorization is validated for most, but not all, routes in the system. A user with knowledge about the routes can read and write configuration data without prior authorization. This affects COM465IP, COM465DP, COM465ID, CP700, CP907, and CP915 devices before 4.2.0.


Impact

The vulnerability allows a malicious entity to bypass credential check.

Solution

Mitigation
• restrict network access to the above-mentioned devices
• install latest software update

Solution
Please install V4.2.0. (https://www.bender.de/service-support/downloadbereich)

Reported by

Bender would like to thank Maxim Rupp for reporting the issue.

The issue was coordinated by CERT@VDE.