Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal
Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal
Advisory ID: ZSL-2022-5709
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 30.06.2022
Application Software: 2.15.4A
Software version: v16 13020200
thttpd/2.29
[27.05.2022] Vendor contacted.
[27.05.2022] Vendor responds creating request ID 00027344. Will come back soon with an answer.
[29.06.2022] No response from the vendor.
[30.06.2022] Public security advisory released.
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/230273
[3] https://cxsecurity.com/issue/WLB-2022070011
[4] https://www.exploit-db.com/exploits/50986
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37122
[6] https://nvd.nist.gov/vuln/detail/CVE-2022-37122
[7] https://www.tenable.com/cve/CVE-2022-37122
[01.06.2022] - Added reference [1]
[02.06.2022] - Added reference [2]
[20.07.2022] - Added reference [3]
[29.07.2022] - Added reference [4]
[01.09.2022] - Added reference [5], [6] and [7]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2022-5709
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 30.06.2022
Summary
pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems.Description
The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.Vendor
CAREL INDUSTRIES S.p.A. - https://www.carel.comAffected Version
Firmware: A2.1.0 - B2.1.0Application Software: 2.15.4A
Software version: v16 13020200
Tested On
GNU/Linux 4.11.12 (armv7l)thttpd/2.29
Vendor Status
[10.05.2022] Vulnerability discovered.[27.05.2022] Vendor contacted.
[27.05.2022] Vendor responds creating request ID 00027344. Will come back soon with an answer.
[29.06.2022] No response from the vendor.
[30.06.2022] Public security advisory released.
PoC
carelpco_dir.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/167684/[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/230273
[3] https://cxsecurity.com/issue/WLB-2022070011
[4] https://www.exploit-db.com/exploits/50986
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37122
[6] https://nvd.nist.gov/vuln/detail/CVE-2022-37122
[7] https://www.tenable.com/cve/CVE-2022-37122
Changelog
[30.06.2022] - Initial release[01.06.2022] - Added reference [1]
[02.06.2022] - Added reference [2]
[20.07.2022] - Added reference [3]
[29.07.2022] - Added reference [4]
[01.09.2022] - Added reference [5], [6] and [7]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
