4CCT vulnerable to improper authentication
4CCT-EA6-334126BF firmware version 3.23.77.8.33251.
INCIBE has coordinated the publication of a vulnerability in the ZIV 4CCT device, with the internal code INCIBE-2020-0040, which has been discovered by the Industrial Cybersecurity team of S21Sec, special mention to Aarón Flecha Menéndez.
CVE-2021-25910 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Update to firmware version 3.23.80.58.46120.
This situation can also be overcome forcing HTTPS access or limiting physical local accesses to the devices.
An incorrect use of the cookie parameter in 4CCT device from ZIV Automation, allows an attacker to perform modifications in several parameters of the affected device as an authenticated user.
The vulnerability arises from an incorrect use of the cookie parameter since it does not have all the necessary security mechanisms to prevent a session hijacking.
To exploit the vulnerability, the attacker must be within the network where the device affected is located.
CWE-287: Improper Authentication
TIMELINE:
04/07/2020 – Researchers disclosure.
17/08/2020 – Researchers contact with INCIBE.
30/10/2020 – Vendor confirms the vulnerability to INCIBE.
21/12/2020 – ZIV confirms that the fix version and the release software patch have been published (Security Patch/new version).
28/01/20201 – The advisory is published by INCIBE.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.