Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Insecure permissions in REHAU Group Unlimited Polymer Solutions implementation of Carel pCOWeb configuration tool exposes heating and temperature control systems to remote attackers.

About Carel pCOWeb

The pCOWeb card is used to connect the pCO Sistema to networks that use HVAC protocols based on the Ethernet physical standard (e.g. BACnet IP, Modbus TCP/IP and SNMP).

The card also features an integrated Web-Server for remote device management. The embedded LINUX operating system allows applications (plug-ins) to be added, developed directly by users to meet their own requirements.

Unauthenticated access to Rehau pCOWeb web interface

Rehau devices with embedded pCOWeb service are implemented in a way that makes them accessible on various ports, most commonly on ports 8080, 80, 443, 7777, 9002 and 10000, allowing unauthenticated access to the management interface. The issue can be tested on impacted devices by typing http://target_ip:target_port/http/ , which should load the default management interface page http://target_ip:target_port/http/default.html and allow full unauthenticated access to the configuration and service interface.

Attack surface

Using Shodan a number of 31 vulnerable devices were discovered, most of them in Hungary and Romania.

Remedy and risk mitigation

Since the BIOS v6.27 / BOOT v5.00 / Web version v2.2 of the web interface provides no option to enable user authentication, the only mitigation available is to deny access to the pCOWeb service ports from WAN.

Author

Sergiu Sechel (https://sergiusechel.medium.com/insecure-permissions-in-rehau-group-unlimited-polymer-solutions-implementation-of-carel-pcoweb-514c148ae694)