← Advisories

Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal

High

Advisory ID

ZSL-2022-5709

Release Date

30 June 2022

Vendor

CAREL INDUSTRIES S.p.A. - https://www.carel.com

Affected Version

Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A, Software version: v16 13020200

CVE

CVE-2022-37122

Tested On

GNU/Linux 4.11.12 (armv7l), thttpd/2.29

Summary

pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems.

Description

The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

Proof of Concept

carelpco_dir.txtTXT

Disclosure Timeline

10.05.2022Vulnerability discovered.

27.05.2022Vendor contacted.

27.05.2022Vendor responds creating request ID 00027344. Will come back soon with an answer.

29.06.2022No response from the vendor.

30.06.2022Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/167684/