WARNING: GESSLER GMBH WEB-MASTER USES A WEAK HARD CODED RESTORATION PASSWORD, PATCH IMMEDIATELY!
CVE-2024-1039 :CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-1040: CVSS 4.4(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Sources
NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-1039
NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-1040
Risks
Gessler GmbH has released a security update for WEB-MASTER, a management system for emergency lighting systems, to address two vulnerabilities. Successful exploitation of these vulnerabilities can lead to account or web management takeover. This poses a significant threat to the Confidentiality, Integrity and Availability (CIA) triad of information security.
Description
CVE-2024-1039
The web master has a restoration account with weak hard coded credentials. An attacker could use this vulnerability to take over the web master management system.
CVE-2024-1040
Credentials of users are stored with a weak hashing algorithm. An attacker could break these hashes to obtain the passwords of users.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Gessler GmbH recommends updating EZ2 to 3.2 or greater and WebMaster to 4.4 or greater.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
CISA - https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01