GateManager Information Disclosure Vulnerability

Vulnerability

An information disclosure vulnerability exists in B&R GateManager 4260 and 9250 versions prior to 9.0.20262 and GateManager 8250 versions prior to 9.2.620236042. The flaw allows authenticated users to view information of devices that belong to foreign domains, violating intended domain isolation. The vulnerability is classified as CWE-200 Information Exposure [1].

Exploitation

An attacker must have valid authentication credentials to a GateManager instance. No special network position is required beyond network access to the management interface. The attacker can then exploit the missing proper access controls that should restrict device information visibility to the user's own domain. The reference notes low skill level to exploit [1].

Impact

Successful exploitation allows an authenticated attacker to gather information about devices belonging to a foreign organization. This information could then be abused for further malicious activities, leading to a confidentiality impact with a CVSS v3 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) [1].

Mitigation

B&R has released GateManager 4260 and 9250 version 9.0.20262 and GateManager 8250 version 9.2.620236042 to address this vulnerability. Users should upgrade to these fixed versions or later. The CISA advisory (ICSA-20-273-03) provides the official vendor notification [1].