CVE-2024-22085 in G5 Digital Fault Recorderinfo

Summary

by MITRE • 03/20/2024

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. The shadow file is world readable.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 12/06/2024

The vulnerability identified as CVE-2024-22085 affects Elspec G5 digital fault recorder devices running firmware versions 1.1.4.15 and earlier. This issue represents a critical misconfiguration that exposes sensitive system information through improper file permissions. The shadow file, which typically contains encrypted password hashes for user accounts on Unix-like systems, is accessible to all users on the system. This misconfiguration creates a significant security risk by providing unauthorized access to authentication credentials that should remain protected.

The technical flaw stems from inadequate permission settings on the shadow file within the device's file system. In proper system administration practices, the shadow file should be restricted to root user access only, typically with permissions set to 0600 or equivalent. The world-readable nature of this file means that any user or process with access to the device can extract password hashes and potentially attempt offline password cracking attacks. This vulnerability directly violates security best practices and represents a failure in privilege separation mechanisms. The issue falls under CWE-732: Incorrect Permission Assignment for Critical Resource, which specifically addresses when critical system resources are given overly permissive access controls.

The operational impact of this vulnerability extends beyond simple information disclosure. Attackers who gain access to the shadow file can leverage the extracted password hashes to perform dictionary attacks, brute force attempts, or utilize rainbow table lookups to recover plaintext passwords. This compromises the entire authentication system of the fault recorder device, potentially allowing unauthorized individuals to gain administrative access to critical power system monitoring equipment. The implications are particularly severe in industrial control environments where these devices play crucial roles in grid monitoring and protection systems. The vulnerability creates an attack surface that aligns with ATT&CK technique T1003.001: OS Credential Dumping: LSASS Memory, though in this case the credentials are exposed through file system permissions rather than memory dumping techniques.

Organizations should immediately implement mitigations including updating to the latest firmware version that addresses this permission issue, manually correcting file permissions on existing systems, and conducting comprehensive security audits of all industrial control system components. System administrators must verify that the shadow file and similar sensitive files maintain appropriate permissions and that regular access control reviews are conducted. The vulnerability highlights the importance of proper system hardening and adherence to security baseline configurations. Additionally, network segmentation should be implemented to limit access to these critical devices, and monitoring should be enabled to detect unauthorized access attempts to sensitive system files. This issue demonstrates the critical need for regular security assessments of industrial equipment and proper configuration management practices.

Reservation

01/05/2024

Disclosure

03/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00228

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!