EFACEC BCU 500

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 9.6
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: EFACEC
  • Equipment: BCU 500
  • Vulnerabilities: Uncontrolled Resource Consumption, Cross-site Request Forgery

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition on the affected product or compromise the web application through a cross-site request forgery (CSRF) vulnerability.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of EFACEC BCU 500, an automation and control IED, is affected:

  • BCU 500: version 4.07

3.2 Vulnerability Overview

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Through the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.

CVE-2023-50707 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H).

3.2.2 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

A successful CSRF attack could force the user to perform state changing requests on the application. If the victim is an administrative account, a CSRF attack could compromise the entire web application.

CVE-2023-6689 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H).[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article: