Ovarro TBox RTUs 授权问题漏洞

Ovarro TBox RTUs is a modular remote monitoring and automation solution from Ovarro Germany. An authorization issue vulnerability exists in Ovarro TBox RTUs that stems from allowing a low-privileged user to access higher-privileged software security tokens, potentially allowing an attacker to...

Ovarro TBox RTUs 安全漏洞

Ovarro TBox RTUs is a modular remote monitoring and automation solution from Ovarro Germany. The Ovarro TBox RTUs suffers from a security vulnerability that originates from running OpenVPN with root privileges and the ability to run user-defined configuration scripts, which allows an attacker to...

PT-2023-25630 · Tbox Rtus +1 · Tbox Rtus +1

Name of the Vulnerable Software and Affected Versions: TBox RTUs affected versions not specified Description: The issue concerns TBox RTUs that run OpenVPN with root privileges and are capable of executing user-defined configuration scripts. An attacker can set up a local OpenVPN server and push ...

PT-2023-25632 · Tbox Rtus · Tbox Rtus

Name of the Vulnerable Software and Affected Versions: TBox RTUs affected versions not specified Description: The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of...

Authorization

The affected TBox RTUs are missing authorization for running some API commands. An attacker running these commands could reveal sensitive information such as software versions and web server file contents...

CVE-2023-36607 CVE-2023-36607

The affected TBox RTUs are missing authorization for running some API commands. An attacker running these commands could reveal sensitive information such as software versions and web server file contents...

CVE-2023-36607

CVE-2023-36607 relates to Ovarro TBox RTUs and involves missing authorization to run certain API commands. The EU/ICS advisory details affected firmware ranges across multiple TBox models (e.g., TBox MS-CPU32, MS-CPU32-S2, LT2, TG2, RM2) with versions up to 1.50.598 and prior, plus earlier versio...

CISA Releases Nine Industrial Control Systems Advisories

CISA released nine Industrial Control Systems ICS advisories on June 29, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-180-01 Delta Electronics InfraSuite Device Master ICSA-23-180-02 Schneider Electric...

Ovarro TBox RTUs

1. EXECUTIVE SUMMARY ​CVSS v3 7.2 ​ATTENTION: Exploitable remotely/low attack complexity ​Vendor: Ovarro ​Equipment: TBox RTUs ​Vulnerabilities: Missing Authorization, Use of Broken or Risky Cryptographic Algorithm, Inclusion of Functionality from Untrusted Control Sphere, Insufficient Entropy,...

PT-2023-25628 · Tbox Rtus · Tbox Rtus

Name of the Vulnerable Software and Affected Versions: TBox RTUs affected versions not specified Description: The issue concerns missing authorization for running certain API commands, which could allow an attacker to reveal sensitive information, including software versions and web server file...

Siemens SICAM A8000 Devices CPCI85 Firmware Hardcoded Credentials Vulnerability

The SICAM A8000 RTUs Remote Terminal Units series is a modular device family for remote control and automation applications in all areas of energy supply. A hard-coded credentials vulnerability exists in the Siemens SICAM A8000 Devices CPCI85 Firmware, which can be exploited by an attacker to log...

Design/Logic Flaw

The Emerson ControlWave 'Next Generation' RTUs through 2022-05-02 mishandle firmware integrity. They utilize the BSAP-IP protocol to transmit firmware updates. Firmware updates are supplied as CAB archive files containing a binary firmware image. In all cases, firmware images were found to have n...

CVE-2022-30262

The CVE-2022-30262 entry concerns Emerson ControlWave ‘Next Generation’ RTUs (through 2022-05-02) with firmware updates transmitted over BSAP-IP. The vulnerability is insufficient verification of data authenticity: firmware images in CAB archives are not authenticated (no signing) and rely on ins...

CVE-2022-30262

The Emerson ControlWave 'Next Generation' RTUs through 2022-05-02 mishandle firmware integrity. They utilize the BSAP-IP protocol to transmit firmware updates. Firmware updates are supplied as CAB archive files containing a binary firmware image. In all cases, firmware images were found to have n...

Authentication flaw

Emerson OpenBSI through 2022-04-29 mishandles credential storage. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. This environment provides access control functionality through user authentication and privilege management. The credentials for various users a...

CVE-2022-30276

The Motorola MOSCAD and ACE line of RTUs through 2022-05-02 omit an authentication requirement. They feature IP Gateway modules which allow for interfacing between Motorola Data Link Communication MDLC networks potentially over a variety of serial, RF and/or Ethernet links and TCP/IP networks...

CVE-2022-30269

Motorola ACE1000 RTUs through 2022-05-02 mishandle application integrity. They allow for custom application installation via either STS software, the C toolkit, or the ACE1000 Easy Configurator. In the case of the Easy Configurator, application images as PLX/DAT/APP/CRC files are uploaded via the...

CVE-2022-30276

The Motorola MOSCAD and ACE line of RTUs through 2022-05-02 omit an authentication requirement. They feature IP Gateway modules which allow for interfacing between Motorola Data Link Communication MDLC networks potentially over a variety of serial, RF and/or Ethernet links and TCP/IP networks...

CVE-2022-30275

The Motorola MOSCAD Toolbox software through 2022-05-02 relies on a cleartext password. It utilizes an MDLC driver to communicate with MOSCAD/ACE RTUs for engineering purposes. Access to these communications is protected by a password stored in cleartext in the wmdlcdrv.ini driver configuration...

CVE-2022-29960

Emerson OpenBSI through 2022-04-29 uses weak cryptography. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. DES with hardcoded cryptographic keys is used for protection of certain system credentials, engineering files, and sensitive utilities...