Entes has Upgrade for EMG 12

Tuesday, October 2, 2018 @ 05:10 PM gHale

Entes suggests users upgrade to the latest firmware to mitigate improper authentication and information exposure through query strings in GET request vulnerabilities in its EMG 12, according to a report with NCCIC.

Successful exploitation of these vulnerabilities, discovered by Can Demirel of Biznet Bilisim, may allow attackers to gain unauthorized access and could allow the ability to change device configuration and settings.

Delta Electronics Fixes ISPSoft Hole
GE Fills Hole in Communicator
Delta Electronics Update for PMSoft
Fuji Fixing FRENIC Devices

An Ethernet Modbus Gateway, EMG12 Ethernet Modbus Gateway Firmware Version 2.57 and prior suffers from the remotely exploitable vulnerabilities.

In the improper authentication vulnerability, the application uses a web interface where it is possible for an attacker to bypass authentication with a specially crafted URL. This could allow for remote code execution.

CVE-2018-14826 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, an information exposure through query strings vulnerability in the web interface has been identified, which may allow an attacker to impersonate a legitimate user and execute arbitrary code.

CVE-2018-14822 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

The product sees use mainly in the critical manufacturing and energy sectors. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Turkey-based Entes recommends users update to the latest available firmware version. This can be requested by calling, tel:+902163130110 or by email.

Leave a Reply

You must be logged in to post a comment.