Executive Summary

This vulnerability allows an unauthenticated remote attacker to extract password hashes from firmware images of certain devices. The attacker can then attempt to brute force these hashes to obtain plaintext passwords of accounts that have limited access.

It specifically affects Janitza UMG 96RM-E and Weidmueller energy meter devices, where broken or risky cryptographic algorithms are used, enabling this extraction and brute forcing.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is that an attacker can gain access to password hashes and potentially recover plaintext passwords for accounts with limited access on the affected devices.

This could allow unauthorized access to these devices, potentially leading to further exploitation or unauthorized control, depending on the privileges of the compromised accounts.

The CVSS score of 5.3 (Medium) indicates a moderate level of risk, with the attack requiring no privileges or user interaction but resulting in limited confidentiality impact.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the firmware of affected devices to version 3.14, where this vulnerability and related issues are fixed.

• Update Janitza UMG 96RM-E and Weidmueller Energy Meter devices to firmware version 3.14.
• Change default passwords on affected devices.
• Limit network exposure by restricting device access to trusted networks only.

Useful 0 Not Useful 0