Multiple vulnerabilities in Ingeteam products

Posted date 20/09/2023
Identificador

INCIBE-2023-0399

Importance
4 - High
Affected Resources
  • INGEPAC DA3451, firmware version 0.29.2.42 (CVE-2023-3768 and CVE-2023-3770).
  • INGEPAC FC5066, firmware version 9.0.22.6+6.1.1.22+5.3.1.1 (CVE-2023-3769).
Description

INCIBE has coordinated the publication of 3 vulnerabilities affecting Ingeteam INGEPAC DA 3451 and INGEPAC EF MD, which have been discovered by the industrial cibersecurity researchers Aarón Flecha Menéndez and Gabriel Vía Echezarreta.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector string and the CWE vulnerability type of each vulnerability:

  • CVE-2023-3768: CVSS v3.1: 8,6 | CVSS: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H | CWE-20.
  • CVE-2023-3769: CVSS v3.1: 8,6 | CVSS: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H | CWE-20.
  • CVE-2023-3770: CVSS v3.1: 5,3 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N  | CWE-20.
Solution

Ingeteam has released the following firmware versions that address the reported vulnerabilities:

  • CVE-2023-3768:1.0.4.0 version (released on 30-09-2021) and later.
  • CVE-2023-3769: 9.8.30.0 version and later.

As for CVE-2023-3770, the information published in this port is public and non-confidential. Its purpose is to make devices discoverable through software tools such as Ingeteam PAC Factory. If there is a cybersecurity concern about the data displayed, the port can be disabled on each device through its internal firewall service.

Detail
  • CVE-2023-3768 and CVE-2023-3769: incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services.
  • CVE-2023-3770: incorrect validation vulnerability of the data entered, allowing an attacker with access to the network on which the affected device is located to use the discovery port protocol (1925/UDP) to obtain device-specific information without the need for authentication.