Carlo Gavazzi UWP 3.0 WebApp allows for authentication bypass

Vulnerability

An improper authentication vulnerability exists in the Carlo Gavazzi UWP 3.0 family of Monitoring Gateways and Controllers across multiple versions, and in the CPY Car Park Server Version 2.8.3 Web-App [1]. The flaw allows an attacker to bypass authentication mechanisms when the free-access feature is disabled, enabling unauthorized access to the web interface [1].

Exploitation

An attacker with network access to the affected device’s web interface can exploit this vulnerability without prior authentication. The exploitation requires that the free-access setting is disabled, which is a common security configuration. By manipulating authentication requests, the attacker can bypass the login process and gain access to the web application as an unauthorized user [1].

Impact

Successful exploitation grants the attacker access to the web interface of the device in the context of an unauthorized user. This can lead to further attacks, such as information disclosure, configuration changes, or denial of service, depending on the capabilities exposed through the web interface. The advisory describes the overall impact as allowing an attacker to get full access to the affected devices [1].

Mitigation

Carlo Gavazzi has released firmware updates for the UWP 3.0 family and a software update for the CPY Car Park Server to address this vulnerability. Users should update to the latest versions as specified in the advisory from the vendor. The advisory is published by CERT@VDE under reference VDE-2022-029 [1]. No workaround is mentioned if patching is not immediately possible, but disabling web access from untrusted networks reduces risk.