ZGR TPS200 NG, firmware version 2.00 and hardware version 1.01.
INCIBE has coordinated the publication of 4 vulnerabilities in ZGR TPS200 NG, which have been discovered by the Industrial Cybersecurity team of S21sec, special mention to Aarón Flecha Menéndez.
These vulnerabilities have been assigned the codes:
- CVE-2020-8973. A CVSS v3.1 base score of 10,0 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N. The vulnerability type is CWE-284: improper access control.
- CVE-2020-8974. A CVSS v3.1 base score of 10,0 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H. The vulnerability type is CWE-771: missing reference to active allocated resource.
- CVE-2020-8975. A CVSS v3.1 base score of 7,5 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability type is CWE-201: exposure of sensitive information through sent data.
- CVE-2020-8976. A CVSS v3.1 base score of 8,9 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H. The vulnerability type is CWE-352: CSRF (Cross-Site Request Forgery).
The ZGR team is working on a new design of the TPS, which will include the necessary cybersecurity measures to address the identified vulnerabilities. Affected equipment must be connected to properly isolated and secured networks to avoid potential risks.
- CVE-2020-8973: ZGR TPS200 NG does not properly accept specially constructed requests. This allows an attacker with access to the network where the affected asset is located, to operate and change several parameters without having to be registered as a user on the web that owns the device.
- CVE-2020-8974: ZGR TPS200 NG firmware upload process does not perform any type of restriction. This allows an attacker to modify it and re-upload it via web with malicious modifications, rendering the device unusable.
- CVE-2020-8975: ZGR TPS200 NG allows a remote attacker with access to the web application and knowledge of the routes (URIs) used by the application, to access sensitive information about the system.
- CVE-2020-8976: he integrated server of the ZGR TPS200 NG allows a remote attacker to perform actions with the permissions of a victim user. For this to happen, the victim user has to have an active session and triggers the malicious request.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE assignment and publication.