Instruments for monitoring oil tanks manufactured by the German company Tecson revealed a dangerous vulnerability that allows access to web settings panel without credentials.
For doing so, an attacker will only need to know address of web server and request format that was used.“Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules”, — reported in Tecson.
While exploiting vulnerability, an attacker can access interface configuration and change settings, including passwords, alert settings, and output status data. Thus, it can affect the planned operations and carry out an attack on automation processes.
Vulnerability received a CVE-2019-12254 identifier; the degree of its danger is estimated at 9.8 points on the CVSS scale. The issue affects Tecson LX-Net, LX-Q-Net, e-litro net, SmartBox4 LAN and SmartBox4 pro LAN devices.
However, manufacturer fixed vulnerability with the release of firmware version 6.3. As a measure to prevent attacks, users are advised to disable port forwarding and remote access to vulnerable devices.
Source: https://cert.vde.com
