BENDER: COMTRAXX - Inadequate credentials check

Bender COMTRAXX Vulnerability - Inadequate Credentials check / CWE-297 Improper Authentication

VDE-2020-043 (2020-10-16 09:54 UTC+0200)

CVE Identifier

CVE-2019-19885

Affected Vendors

Bender

Affected Products

Device Order number Affected versions
COM465IP B95061065, B95061066 <4.2.0
COM465DP B95061060, B95061061
COM465ID B95061070
CP700 B95061030
CP907 B95061080
CP915 B95061081, B95061085, B95061092

Vulnerability Type

Improper Authentication (CWE-287)

Summary

Bender is publishing this advisory to inform customers about a security vulnerability in all devices running the COMTRAXX software.

The user authorization is validated for most, but not all routes in the system. A user with knowledge about the routes can read and write configuration data without prior authorization.

Impact

The vulnerability allows a malicious entity to bypass credential check.

Solution

Mitigation

• restrict network access to the above-mentioned devices
• install latest software update

Security Updates

Please install V4.2.0. (https://www.bender.de/service-support/downloadbereich)

Reported by

Bender would like to thank Maxim Rupp for reporting the issue.

The issue was coordinated by CERT@VDE.