Multiple vulnerabilities in SE-elektronic GmbH products

Posted date 29/01/2024
Importance
5 - Critical
Affected Resources
  • E-DDC3.3, versions 03.07.03 and later.
Description

INCIBE has coordinated the publication of 2 vulnerabilities of critical severity affecting E-DDC3.3SE-elektronic GmbH, versions 03.07.03 and higher, a company focused on building automation, which have been discovered by Carlos Antonini.

These vulnerabilities have been assigned the following codes, with the same CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:

  • CVE-2024-1014: 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CWE-400.
  • CVE-2024-1015: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-94.
Solution

There is no reported solution at this time.

Detail
  • CVE-2024-1014: uncontrolled resource consumption vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could interrupt the availability of the administration panel by sending multiple ICMP packets.
  • CVE-2024-1015: remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device.
References list