Home / Early Warning / Ics Advisories / Information Exposure in INGEPAC DA AU

Information Exposure in INGEPAC DA AU

Publication date: 
10/20/2021
Importance: 
3 - Media
Affected resources: 

INGEPAC DA AU AUC_1.13.0.28 and before.

Description: 

INCIBE has coordinated the publication of a vulnerability in INGEPAC DA AU, with the internal code INCIBE-2021-0429, which has been discovered by the Industrial Cybersecurity team of S21sec, special mention to Jacinto Moral Matellán.

CVE-2017-20007 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Solution: 

All the firmware versions from AUC_1.14.0.29 fix this issue.

Detail: 

Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web application allows access to a certain path that contains sensitive information that could be used by an attacker to execute more sophisticated attacks.

An unauthenticated remote attacker with access to the device´s web service could exploit this vulnerability in order to obtain different configuration files.

This vulnerability was reported to Ingeteam in 2021. It was partially fixed since version AUC_1.12.0.22 (2019), and fully fixed since version AUC_1.14.0.29.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

TIMELINE:

25/05/2021 - Researchers contact with INCIBE.
15/06/2021 - Ingeteam confirms the vulnerabilities to INCIBE.
20/10/20201 - The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración