GateManager Log Information Disclosure Vulnerability

Vulnerability

The vulnerability exists in B&R GateManager devices, specifically models 4260, 9250 versions prior to 9.0.20262 and model 8250 versions prior to 9.2.620236042. It is a log information disclosure issue where the application fails to properly restrict log access, allowing authenticated users to view log information that should be reserved for other users [1].

Exploitation

An attacker must have valid authentication credentials to the GateManager web interface. Once authenticated, they can directly access log entries intended for other users without any additional privileges or user interaction. The attack can be performed remotely over the network [1].

Impact

Successful exploitation leads to disclosure of sensitive log information, which may include data from other users' sessions, system events, or configuration details. This could aid in further attacks or expose confidential information. The CVSS v3 base score is 7.7 (High) with a vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) [1].

Mitigation

B&R recommends updating to the fixed versions: GateManager 4260 and 9250 to version 9.0.20262 or later, and GateManager 8250 to version 9.2.620236042 or later. If upgrading is not possible, users should restrict network access to the web interface and follow general security best practices. The CISA advisory (ICS-VU-987345) provides further guidance [1].