A vulnerability was found in Circontrol CirCarLife up to 4.2. It has been classified as problematic. This affects an unknown function of the file /html/devstat.html of the component PLC Status Handler. The manipulation with an unknown input leads to a improper authentication vulnerability. CWE is classifying the issue as CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. This is going to have an impact on confidentiality. The summary by CVE is:

An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html.

The bug was discovered 09/10/2018. The weakness was published 09/18/2018 (Website). It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2018-16670 since 09/07/2018. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known.

The exploit is shared for download at exploit-db.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 8 days. During that time the estimated underground price was around $0-$5k. By approaching the search of inurl:html/devstat.html it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 4.3 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Exploit-DB (45384). Similar entries are available at 119799, 124213, 124214 and 124216.

Productinfo

Vendor

• Circontrol

Name

• CirCarLife

Version

• 4.0
• 4.1
• 4.2

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion