Circutor SGE-PLC1000 improper authentication
SGE-PLC1000 firmware version 0.9.2b.
INCIBE has coordinated the publication of a vulnerability in the SGE-PLC1000 device, with the internal code INCIBE-2021-0228, which has been discovered by the Industrial Cybersecurity team of S21sec, special mention to Aarón Flecha Menéndez.
CVE-2021-33842 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
This issue can be solved through a firmware upgrade that has already been released by the vendor.
An incorrect use of the cookie parameter in SGE-PLC1000 device from Circutor, allows an attacker to perform operations as an authenticated user.
In order to exploit this vulnerability, the attacker must be within the network where the device affected is located.
This vulnerability was reported to Circutor and has been resolved since then in firmware versions later than the one affected.
CWE-565: Reliance on Cookies without Validation and Integrity Checking.
Timeline:
04/07/2017 – Researchers disclosure.
17/08/2020 – Researchers contact with INCIBE.
26/03/2021 – Circutor confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published (Security Patch).
08/06/20201 – The advisory is published by INCIBE.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.