CVE-2020-12496 Explained : Impact and Mitigation
Learn about CVE-2020-12496 affecting Endress+Hauser Ecograph T and Memograph M devices with firmware version V2.0.0. Discover the impact, affected systems, and mitigation steps.
Endress+Hauser Ecograph T and Memograph M devices with firmware version V2.0.0 are vulnerable to exposing sensitive information to unauthorized users.
Understanding CVE-2020-12496
This CVE involves the exposure of sensitive data on specific Endress+Hauser devices due to a security flaw in the firmware.
What is CVE-2020-12496?
The vulnerability in Endress+Hauser Ecograph T and Memograph M devices allows unauthorized users to access sensitive information due to issues in the access-control matrix.
The Impact of CVE-2020-12496
The vulnerability has a CVSS base score of 6.5, indicating a medium severity issue with high confidentiality impact.
Technical Details of CVE-2020-12496
Endress+Hauser devices with firmware version V2.0.0 are affected by this vulnerability.
Vulnerability Description
The firmware allows unauthorized access to sensitive data due to a flawed access-control matrix.
Affected Systems and Versions
- RSG35 - Ecograph T
- ORSG35 - Ecograph T Neutral/Private Label
- RSG45 - Memograph M
- ORSG45 - Memograph M Neutral/Private Label
- Firmware version V2.0.0
Exploitation Mechanism
Unauthorized users with low rights can access information from endpoints not meant for them.
Mitigation and Prevention
Endress+Hauser recommends specific measures to mitigate the vulnerability.
Immediate Steps to Take
- Configure a perimeter firewall to block traffic from untrusted networks
- Change default passwords for operator, service, and admin accounts
Long-Term Security Practices
- Regularly update firmware and security patches
- Conduct security audits and assessments
Patching and Updates
Endress+Hauser will not change the firmware behavior, so customers must implement the provided mitigation measures.