CVE-2024-6788
📋 TL;DR
An unauthenticated attacker on the local network can exploit the firmware update feature to reset the password for the low-privileged 'user-app' account to its default value. This affects devices with vulnerable firmware versions that expose the LAN interface. Attackers can gain initial access to devices without authentication.
💻 Affected Systems
- Specific product names not provided in CVE description
📦 What is this software?
Charx Sec 3000 Firmware by Phoenixcontact
Charx Sec 3050 Firmware by Phoenixcontact
Charx Sec 3100 Firmware by Phoenixcontact
Charx Sec 3150 Firmware by Phoenixcontact
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain persistent access to the device, pivot to other systems, and potentially escalate privileges to compromise the entire network.
Likely Case
Attackers gain unauthorized access to the device using the default 'user-app' credentials, enabling reconnaissance and further exploitation.
If Mitigated
If network segmentation and access controls are implemented, the attack surface is limited to isolated segments with minimal impact.
🎯 Exploit Status
Exploitation requires network access to the LAN interface but no authentication. Attack vector is straightforward once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2024-022
Restart Required: Yes
Instructions:
1. Check vendor advisory for affected products. 2. Download and apply firmware update from vendor. 3. Reboot device after update. 4. Verify fix by testing password reset functionality.
🔧 Temporary Workarounds
Disable firmware update on LAN interface
allIf possible, disable the firmware update feature on the LAN interface to prevent exploitation.
Device-specific configuration commands required
Network segmentation
allIsolate vulnerable devices in separate network segments with strict access controls.
Configure firewall rules to restrict LAN access to device management interfaces
🧯 If You Can't Patch
- Implement strict network access controls to limit LAN interface exposure
- Change default 'user-app' password and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to access firmware update feature via LAN interface without authentication and test if password reset is possible.Check Version:
Device-specific command to check firmware version (consult device documentation)Verify Fix Applied:
After patching, verify that password reset via firmware update feature no longer works without proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to firmware update endpoints
- Password reset events for 'user-app' account
Network Indicators:
- Unusual traffic to device management ports on LAN interface
- Firmware update requests from unauthorized sources
SIEM Query:
source_ip IN (internal_range) AND dest_port IN (management_ports) AND action='firmware_update'