Carlo Gavazzi Controls Advisory Feed by CERT@VDEhttps://cert.vde.com/en/advisories/2022-09-26T10:00:00+00:00Feed for Carlo Gavazzi Controls Advisories by CERT@VDECarlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.02022-09-26T08:00:00+00:002022-09-26T10:00:00+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2022-029/<h4>VDE-2022-029</h4>
<h4>Vendor(s)</h4>Carlo Gavazzi Controls SpA<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>SBP2CPY24</td><td>CPY Car Park Server</td><td> < 2.8.3</td></tr><tr><td>UWP30RSEXXX</td><td>UWP 3.0 Monitoring Gateway and Controller</td><td> < 8.5.0.3</td></tr><tr><td>UWP30RSEXXXEDP</td><td>UWP 3.0 Monitoring Gateway and Controller – EDP version</td><td> < 8.5.0.3</td></tr><tr><td>UWP30RSEXXXSE</td><td>UWP 3.0 Monitoring Gateway and Controller – Security Enhanced</td><td> < 8.5.0.3</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-22522: 9.8 (CVSS:3.1)<br>⠀CVE-2022-22523: 7.5 (CVSS:3.1)<br>⠀CVE-2022-22524: 9.4 (CVSS:3.1)<br>⠀CVE-2022-22525: 7.2 (CVSS:3.1)<br>⠀CVE-2022-22526: 9.8 (CVSS:3.1)<br>⠀CVE-2022-28811: 9.8 (CVSS:3.1)<br>⠀CVE-2022-28812: 9.8 (CVSS:3.1)<br>⠀CVE-2022-28813: 7.5 (CVSS:3.1)<br>⠀CVE-2022-28814: 9.8 (CVSS:3.1)<br>⠀CVE-2022-28815: 2.7 (CVSS:3.1)<br>⠀CVE-2022-28816: 6.1 (CVSS:3.1)<br><h4>Summary</h4><p>The UWP 3.0 family of Monitoring Gateways and Controllers and the CPY Car Park Server are affected by multiple vulnerabilities in their set-up software, runtime firmware, embedded Web interface.</p><h4>Impact</h4><p>An attacker can get full access to the affected devices. See the vulnerability descriptions for details.</p><h4>Solution</h4><p><b>General recommendations</b></p>
<ul>
<li>Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside</li>
<li>Use firewalls to protect and separate the control system network from other networks</li>
<li>Use VPN (Virtual Private Networks) tunnels if remote access is required</li>
<li>Activate and apply user management and password features</li>
<li>Use encrypted communication links</li>
<li>Limit the access to both set-up and control system by physical means, operating system features, etc.</li>
<li>Protect the set-up and control system by using up to date virus detecting solutions</li>
</ul>
<p><b>Remediation</b></p>
<p>Please update to software/firmware versions as described below:</p>
<table>
<tbody>
<tr>
<td><strong>Article Nr.</strong></td>
<td><strong>Product Name and Description</strong></td>
<td><strong>Fixed in version</strong></td>
</tr>
<tr>
<td>UWP30RSEXXX</td>
<td>UWP 3.0 Monitoring Gateway and Controller</td>
<td rowspan="3" style="text-align: center;">>= 8.5.0.3<br>available from April 27th,2022</td>
</tr>
<tr>
<td>UWP30RSEXXXSE</td>
<td>UWP 3.0 Monitoring Gateway and Controller – Security<br>Enhanced</td>
</tr>
<tr>
<td>UWP30RSEXXXEDP</td>
<td>UWP 3.0 Monitoring Gateway and Controller – EDP version</td>
</tr>
<tr>
<td>SBP2CPY24</td>
<td>CPY Car Park Server</td>
<td style="text-align: center;">>= 2.8.3<br>available from June 28th,2022</td>
</tr>
</tbody>
</table>
<p></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2022-029/" target=_new>https://cert.vde.com/en/advisories/VDE-2022-029/</a>