CVE-2024-12012
📋 TL;DR
This vulnerability exposes password hashes and session tokens in URLs due to improper use of GET requests with sensitive data in the 130.8005 TCP/IP Gateway. Attackers who can intercept these URLs (through network monitoring or browser access) can steal credentials and bypass authentication via pass-the-hash attacks. Only systems running firmware version 12h of this specific gateway are affected.
💻 Affected Systems
- 130.8005 TCP/IP Gateway
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through authentication bypass, allowing unauthorized access to the industrial control system network and potential manipulation of critical infrastructure.
Likely Case
Session hijacking and unauthorized access to the gateway management interface, leading to configuration changes or network reconnaissance.
If Mitigated
Limited impact if proper network segmentation and monitoring prevent attackers from accessing the vulnerable URLs.
🎯 Exploit Status
Exploitation requires the attacker to obtain the vulnerable URLs containing sensitive data, which can be achieved through network sniffing or accessing browser history/cache.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor for updated firmware
Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-12012
Restart Required: Yes
Instructions:
1. Contact the vendor for patched firmware version
2. Backup current configuration
3. Apply firmware update following vendor instructions
4. Restart the gateway
5. Verify functionality
🔧 Temporary Workarounds
Network Segmentation
allIsolate the gateway from untrusted networks and limit access to authorized management stations only.
HTTPS Enforcement
allConfigure the gateway to require HTTPS for all management access and disable HTTP if possible.
🧯 If You Can't Patch
- Implement strict network access controls to prevent unauthorized access to the gateway management interface.
- Deploy network monitoring to detect suspicious access patterns or URL parameter harvesting attempts.
🔍 How to Verify
Check if Vulnerable:
Check if the gateway is running firmware version 12h via the management interface or console.Check Version:
Check via web interface or use vendor-specific CLI commands (consult vendor documentation)Verify Fix Applied:
Verify the firmware version has been updated to a version later than 12h and test that sensitive data no longer appears in URL parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts
- Access to URLs containing hash or token parameters
- Multiple failed login attempts followed by successful authentication with stolen credentials
Network Indicators:
- HTTP GET requests containing 'password', 'hash', 'token', or similar parameters in query strings
- Traffic to gateway management interface from unexpected sources
SIEM Query:
source="gateway_logs" AND (url="*password=*" OR url="*hash=*" OR url="*token=*")