WARNING: GESSLER GMBH WEB-MASTER USES A WEAK HARD CODED RESTORATION PASSWORD, PATCH IMMEDIATELY!

Reference:
Advisory #2024-18

Version:
1.0

Affected software:
Gessler GmbH WEB-MASTER version 7.9

Type:
Use of Weak Credentials (CVE-2024-1039), Use of Weak Hash (CVE-2024-1040)

CVE/CVSS:
CVE-2024-1039 :CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)CVE-2024-1040: CVSS 4.4(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Sources

NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-1039

NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-1040

Risks

Gessler GmbH has released a security update for WEB-MASTER, a management system for emergency lighting systems, to address two vulnerabilities. Successful exploitation of these vulnerabilities can lead to account or web management takeover. This poses a significant threat to the Confidentiality, Integrity and Availability (CIA) triad of information security.

Description

CVE-2024-1039

The web master has a restoration account with weak hard coded credentials. An attacker could use this vulnerability to take over the web master management system.

CVE-2024-1040

Credentials of users are stored with a weak hashing algorithm. An attacker could break these hashes to obtain the passwords of users.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Gessler GmbH recommends updating EZ2 to 3.2 or greater and WebMaster to 4.4 or greater.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

CISA - https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01