Tuesday, October 30, 2018 @ 05:10 PM gHale

PEPPERL+FUCHS has an update available that can mitigate an improper privilege management vulnerability in its CT50-Ex, according to a report with NCCIC.

Successful exploitation of this vulnerability, which PEPPERL+FUCHS self-reported, could allow a malicious third-party application to gain elevated privileges and obtain access to sensitive information.

GEOVAP Fixes Reliance 4 SCADA/HMI
Advantech Clears WebAccess Hole
Telecrane Fixes F25 Series Vulnerability
GAIN Fixes SAGA1-L Series Holes

CT50-Ex running Android OS v4.4 and v6.0, the original manufacturer was Honeywell suffers from the remotely exploitable issue.

A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personally identifiable information, photos, emails, or business-critical documents.

CVE-2018-14825 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.6.

The product sees use mainly in the communications, critical manufacturing, and information technology sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability.

An update is available that resolves this vulnerability. All users of the affected products should update products as follows: If using Android v6.0, update to CommonES or later. Update ECP to Version or later (if applicable). If using Android 4.4, update to CommonES 3.17.3445 or later. Additionally, according to PEPPERL+FUCHS, only the products mentioned herein are affected by this vulnerability. Updates are available via the PEPPERL+FUCHS ecom product support channel or directly from the original manufacturer Honeywell.

For more information CERT @ VDE has released a security advisory.

Leave a Reply

You must be logged in to post a comment.