Insecure permissions in REHAU Group Unlimited Polymer Solutions implementation of Carel pCOWeb configuration tool exposes heating and temperature control systems to remote attackers.
About Carel pCOWeb
The pCOWeb card is used to connect the pCO Sistema to networks that use HVAC protocols based on the Ethernet physical standard (e.g. BACnet IP, Modbus TCP/IP and SNMP).The card also features an integrated Web-Server for remote device management. The embedded LINUX operating system allows applications (plug-ins) to be added, developed directly by users to meet their own requirements.
Unauthenticated access to Rehau pCOWeb web interface
Rehau devices with embedded pCOWeb service are implemented in a way that makes them accessible on various ports, most commonly on ports 8080, 80, 443, 7777, 9002 and 10000, allowing unauthenticated access to the management interface. The issue can be tested on impacted devices by typinghttp://target_ip:target_port/http/ , which should load the default management interface page http://target_ip:target_port/http/default.html and allow full unauthenticated access to the configuration and service interface.