CVE-2012-6427

Carlo Gavazzi EOS Box SQL Injection

Description

The Carlo Gavazzi EOS-Box does not check the validity of the data before executing queries. By accessing the SQL table of certain pages that do not require authentication, attackers can leak information from the device. This could allow the attacker to compromise confidentiality.

Remediation

Solution:

Carlo Gavazzi has developed a new firmware Version 1.0.0.1080_2.1.10 that mitigates these vulnerabilities. Carlo Gavazzi released the new firmware Tuesday, December 18, 2012, directly to the devices. Users will be able to manually download the firmware on their device by using the Firmware Update function in the System Menu in the device’s Web interface.

References

Link	Tags
https://www.cisa.gov/news-events/ics-advisories/icsa-12-354-02
http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf	us government resource

Frequently Asked Questions

What is the severity of CVE-2012-6427?: CVE-2012-6427 has been scored as a high severity vulnerability.
How to fix CVE-2012-6427?: To fix CVE-2012-6427: Carlo Gavazzi has developed a new firmware Version 1.0.0.1080_2.1.10 that mitigates these vulnerabilities. Carlo Gavazzi released the new firmware Tuesday, December 18, 2012, directly to the devices. Users will be able to manually download the firmware on their device by using the Firmware Update function in the System Menu in the device’s Web interface.
Is CVE-2012-6427 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2012-6427 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2012-6427?: CVE-2012-6427 affects Carlo Gavazzi Automation EOS-Box.

Description

Remediation

Category

CWE-89 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

References

Frequently Asked Questions