4CCT vulnerable to a denial of service attack
4CCT-EA6-334126BF, firmware version 3.23.80.27.36371.
INCIBE has coordinated the publication of a vulnerability in the ZIV 4CCT device, with the internal code INCIBE-2021-0039, which has been discovered by the Industrial Cybersecurity team of S21Sec, special mention to Aarón Flecha Menéndez.
CVE-2021-25909 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Update to firmware version 3.23.80.58.46120.
This situation can also be overcome by installing the device in a bandwidth limited network with access privileges requirements.
4CCT device from ZIV Automation is vulnerable to a Denial of Service attack through port 7919.
The exploitation of this vulnerability might allow a remote attacker to cause a disruption in the operation of the device by sending specific packets to the port 7919.
Once the attack is finished, the device gradually recovers its normal operation.
CWE-400: Uncontrolled Resource Consumption.
Timeline
10/03/2020 – Researchers disclosure.
25/05/2020 – Researchers contact with INCIBE.
03/07/2020 – Vendor confirms the vulnerability to INCIBE.
21/12/2020 – ZIV confirms that the fix version and the release software patch have been published (Security Patch/new version).
28/01/2021 – The advisory is published by INCIBE.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.