INGEPAC DA AU AUC_220.127.116.11 and before.
INCIBE has coordinated the publication of a vulnerability in INGEPAC DA AU, with the internal code INCIBE-2021-0429, which has been discovered by the Industrial Cybersecurity team of S21sec, special mention to Jacinto Moral Matellán.
CVE-2017-20007 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
All the firmware versions from AUC_18.104.22.168 fix this issue.
Ingeteam INGEPAC DA AU AUC_22.214.171.124 (and before) web application allows access to a certain path that contains sensitive information that could be used by an attacker to execute more sophisticated attacks.
An unauthenticated remote attacker with access to the device´s web service could exploit this vulnerability in order to obtain different configuration files.
This vulnerability was reported to Ingeteam in 2021. It was partially fixed since version AUC_126.96.36.199 (2019), and fully fixed since version AUC_188.8.131.52.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
25/05/2021 - Researchers contact with INCIBE.
15/06/2021 - Ingeteam confirms the vulnerabilities to INCIBE.
20/10/20201 - The advisory is published by INCIBE.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.