VDE-2022-050

Vulnerability from csaf_ifmelectronicgmbh - Published: 2022-12-12 11:00 - Updated: 2026-01-06 11:00
Summary
IFM: weak password recovery vulnerability in moneo appliance
Notes
Summary: An unauthenticated remote attacker could reset the administrator's password with information from the default, self-signed certificate.
Impact: An unathenticated attacker can remotely reset the administrator password.
Mitigation: The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number.
Remediation: The password-reset mechanism will be updated in a future version. When using automation components, make sure that no unauthorized access can take place. In addition, measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.
CVE-2022-3485

In IFM Moneo Appliance with version up to 1.9.3 an unauthenticated remote attacker can reset the administrator password by only supplying the serial number and thus gain full control of the device.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Mitigation The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number.
Vendor Fix The password-reset mechanism will be updated in a future version. When using automation components, make sure that no unauthorized access can take place. In addition, measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.
References
Acknowledgments
CERT@VDE certvde.com
Aimon Dawson
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "organization": "Aimon Dawson",
        "summary": "reporting"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "An unauthenticated remote attacker could reset the administrator\u0027s password with information from the default, self-signed certificate.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "An unathenticated attacker can remotely reset the administrator password.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "The password-reset mechanism will be updated in a future version.\nWhen using automation components, make sure that no unauthorized access can take place. In addition, measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@ifm.com",
      "name": "ifm electronic GmbH",
      "namespace": "https://www.ifm.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2022-050: IFM: weak password recovery vulnerability in moneo appliance - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2022-050/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-050: IFM: weak password recovery vulnerability in moneo appliance - CSAF",
        "url": "https://ifm.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-050.json"
      },
      {
        "category": "external",
        "summary": "Vendor PSIRT",
        "url": "https://www.ifm.com"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for ifm electronic GmbH",
        "url": "https://certvde.com/en/advisories/vendor/ifm/"
      }
    ],
    "title": "IFM: weak password recovery vulnerability in moneo appliance",
    "tracking": {
      "aliases": [
        "VDE-2022-050"
      ],
      "current_release_date": "2026-01-06T11:00:00.000Z",
      "generator": {
        "date": "2026-01-30T08:42:49.132Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.42"
        }
      },
      "id": "VDE-2022-050",
      "initial_release_date": "2022-12-12T11:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-12-12T11:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial revision."
        },
        {
          "date": "2026-01-06T11:00:00.000Z",
          "number": "2.0.0",
          "summary": "fixed version range, added Hardware with relationship, changed vulnerability title to CVE description"
        }
      ],
      "status": "final",
      "version": "2.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:semver/\u003c=1.9.3",
                    "product": {
                      "name": "moneo appliance \u003c=1.9.3",
                      "product_id": "CSAFPID-51001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "moneo appliance"
              }
            ],
            "category": "product_family",
            "name": "Software"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "QHA210",
                "product": {
                  "name": "QHA210",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:h:ifm_electronic:qha210:*:*:*:*:*:*:*:*",
                    "model_numbers": [
                      "QHA210"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          }
        ],
        "category": "vendor",
        "name": "IFM"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "moneo appliance \u003c=1.9.3 installed on QHA210",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-51001",
        "relates_to_product_reference": "CSAFPID-11001"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-3485",
      "cwe": {
        "id": "CWE-640",
        "name": "Weak Password Recovery Mechanism for Forgotten Password"
      },
      "notes": [
        {
          "category": "description",
          "text": "In IFM Moneo Appliance with version up to 1.9.3 an unauthenticated remote attacker can reset the administrator password by only supplying the serial number and thus gain full control of the device.\n",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number.",
          "product_ids": [
            "CSAFPID-51001",
            "CSAFPID-31001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "The password-reset mechanism will be updated in a future version.\nWhen using automation components, make sure that no unauthorized access can take place. In addition, measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.",
          "product_ids": [
            "CSAFPID-51001",
            "CSAFPID-31001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "CVE-2022-3485"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.