DSA-2023-05-01

Multiple vulnerabilities including critical ones exist in Danfoss AK-EM 100, potentially leading to unauthorized access and full system compromise.

Advisory Information

Advisory ID: DSA-2023-05-01
CVE numbers and CVSS scores
- CVE-2023-22583
  Base Score: 9.8(CRITICAL)
- CVE-2023-22584
  Base Score:7.5(HIGH)
- CVE-2023-22585
  Base Score: 6.1(MEDIUM)
- CVE-2023-22586
  Base Score:7.5(HIGH)
- CVE-2023-25911
  Base Score: 9.8(CRITICAL))
- CVE-2023-25912
  Base Score: 5.3(MEDIUM)

Summary
Multiple injection-related vulnerabilities exist in Danfoss AK-EM 100. These vulnerabilities could lead to the full compromise of your system. It is advised to phase out the AK-EM 100, as the AK-EM 100 reached its end of support in 2013-07 and there will be no patches released for these vulnerabilities.

Affected products and services

Danfoss AK-EM 100 all Series

Vulnerability description

CVE-2023-22583 - SQL INJECTION IN DANFOSS AK-EM 100
The web forms of Danfoss AK-EM 100 allow for SQL injection in the login forms.
Problem Type: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2023-22584 - CLEARTEXT CREDENTIALS IN DANFOSS AK-EM 100
The Danfoss AK-EM 100 stores login credentials in cleartext.
Problem type(s): CWE-312 Cleartext Storage of Sensitive Information

CVE-2023-22585 - REFLECTED CROSS-SITE SCRIPTING IN DANFOSS AK-EM 100
The Danfoss AK-EM 100 web applications allow for Reflected Cross-Site Scripting in the title parameter.
Problem type(s): CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-22586 - LOCAL FILE INCLUSION IN DANFOSS AK-EM 100
The Danfoss AK-EM 100 web applications allow for Local File Inclusion in the file parameter.
Problem type(s): CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVE-2023-25911 - OS COMMAND INJECTION IN DANFOSS AK-EM 100
The Danfoss AK-EM 100 web applications allow for OS command injection through the web application parameters.
Problem type(s): CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVE-2023-25912 - WEBREPORT DISCLOSURE TO UNAUTHORIZED ACTOR IN DANFOSS AK-EM 100
The webreport generation feature in the Danfoss AK-EM 100 allows an unauthorized actor to generate a web report that discloses sensitive information such as the internal IP address, usernames and internal device values.
Problem type(s): CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Remediations

AK-EM 100 reached its end of support in 2013-07 and there will be no patches released for these vulnerabilities, recommend to upgrade to AK-SM 800A in combination with Alsense cloud service.

Mitigations

Phase out the AK-EM 100.

Credits (if opted in)

Jony Schats (HackDefense)
Stan Plasmeijer (HackDefense)
Synacktiv
Max van der Horst (Dutch Institute for Vulnerability Disclosure)

Other reference

https://csirt.divd.nl/cases/DIVD-2023-00021/

Update log

25 May, 2023: Publication