Vulnerability Report

[Suggested description] CVE-2023-47573

A vulnerability has been identified in Relyum RELY-PCIe 22.2.1 devices. The authorization mechanism is not enforced in the web interface, allowing a low-privileged user to execute administrative functions.

Vulnerability Type: Incorrect Access Control.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1.
Affected Component: Web server of the equipment.
Attack Type: Remote.
Impact: Escalation of Privileges.
Attack Vectors: An attacker can change settings, including administrative passwords.
Vendor Confirmation: True.
Discoverer: Michael Messner and Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2023-47574

A vulnerability exists in Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices due to a Weak SMB configuration with signing disabled.

Vulnerability Type: Incorrect Access Control.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-REC – 23.1.0.
Attack Type: Remote.
Impact: Information Disclosure.
Attack Vectors: Possible man-in-the-middle attacks.
Vendor Confirmation: True.
Discoverer: Michael Messner and Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2023-47575

Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices are vulnerable to reflected XSS in their web interfaces.

Vulnerability Type: Cross Site Scripting (XSS).
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-REC – 23.1.0.
Affected Component: Impact on web visualization.
Attack Type: Remote.
CVE Impact: Other (impact on web visualization).
Attack Vectors: Attacker can perform arbitrary actions on the web application.
Vendor Confirmation: True.
Discoverer: Michael Messner and Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2023-47576

A vulnerability is present in Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices, allowing authenticated command injection through the web interface.

Vulnerability Type: Command Injection.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-REC – 23.1.0.
Affected Component: Web server of the equipment.
Attack Type: Remote.
Impact: Code execution, Escalation of Privileges.
Attack Vectors: Attacker can execute commands as the www-data system user.
Vendor Confirmation: True.
Discoverer: Michael Messner and Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2023-47577

Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices have a vulnerability where there is no check for the current password, allowing unauthorized password changes.

Vulnerability Type: No Check for Current Password.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-REC – 23.1.0.
Affected Component: Web, Command Line Interface.
Attack Type: Remote.
Impact: Escalation of Privileges.
Attack Vectors: Attacker can change passwords without knowing the current password.
Vendor Confirmation: True.
Discoverer: Michael Messner and Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2023-47578

Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices are susceptible to Cross Site Request Forgery (CSRF) attacks due to the absence of CSRF protection in the web interface.

Vulnerability Type: Cross Site Request Forgery (CSRF).
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-REC – 23.1.0.
Affected Component: Web interface.
Attack Type: Remote.
CVE Impact: Other (CSRF).
Attack Vectors: Attacker can force the victim to perform actions without detection, potentially combined with other vulnerabilities.
Vendor Confirmation: True.
Discoverer: Michael Messner and Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2023-47579

Relyum RELY-PCIe 22.2.1 devices suffer from a system group misconfiguration, allowing read access to the central password hash file of the operating system.

Vulnerability Type: Incorrect Access Control, Misconfiguration.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1.
Attack Type: Remote.
Impact: Escalation of Privileges.
Attack Vectors: Password hashes extraction via other vulnerabilities.
Vendor Confirmation: True.
Discoverer: Michael Messner and Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2021-44142, CVE-2017-7494, and CVE-2015-3200

Relyum devices use outdated software components with known vulnerabilities, leaving them exposed to potential exploits.

Vulnerability Type: Outdated Software Components.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-REC – 23.1.0.
Affected Component: Relyum-outdated software components with known vulnerabilities.
Attack Type: Remote.
CVE Impact: None.
Attack Vectors: Remote compromise of the device (depends on the vulnerable component and the configuration).
Vendor Confirmation: True.
Discoverer: Michael Messner and Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2024-44569

Incorrect access control in the ZeroMQ interface of RELY-PCIe v22.2.1 to v23.1.0 allows unauthenticated attackers to arbitrarily reconfigure the settings for the device.

Vulnerability Type: Incorrect Access Control.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-PCIe – 23.1.0.
Attack Type: Remote.
CVE Impact: Other (an attacker can reconfigure the device without authentication).
Attack Vectors: Network access to the unprotected ZeroMQ interface.
Vendor Confirmation: True.
Discoverer: Michael Messner and Benedikt Kühne from Siemens Energy.

[Suggested description] Duplicate of CVE-2024-44569

An issue discovered in Relyum RELY-PCIe 23.1.0 and RELY-PCIe 22.2.1 devices. The ZeroMQ interface is reachable from the network. This allows an attacker to communicate with the interface and trigger a DoS situation.

Vulnerability Type: Incorrect Access Control.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-PCIe – 23.1.0.
Attack Type: Remote.
Impact: Denial of Service.
Attack Vectors: Network access to the unprotected ZeroMQ interface.
Vendor Confirmation: True.
Discoverer: Michael Messner from Siemens Energy.

[Suggested description] CVE-2024-44570

RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a code injection vulnerability via the getParams function in phpinf.php.

Vulnerability Type: Incorrect Access Control.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-PCIe – 23.1.0.
Attack Type: Remote.
Impact: Escalation of Privileges.
Attack Vectors: Low privileged user credentials (i.e sys-operator) and access to the web-interface.
Vendor Confirmation: True.
Discoverer: Benedikt Kühne from Siemens Energy

[Suggested description] CVE-2024-44571

RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect access control in the mService function at phpinf.php.

Vulnerability Type: Incorrect Access Control.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-PCIe – 23.1.0.
Attack Type: Remote.
CVE Impact: Other (close to complete systemctl access leading to integrity and availability control).
Attack Vectors: Low privileged user credentials (i.e sys-operator) and access to the web-interface.
Vendor Confirmation: True.
Discoverer: Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2024-44572

RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_mgmt function.

Vulnerability Type: Incorrect Access Control.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-PCIe – 23.1.0.
Attack Type: Remote.
Impact: Escalation of Privileges.
Attack Vectors: Low privileged access (sys-operator) to the restricted CLI interface via SSH.
Vendor Confirmation: True.
Discoverer: Michael Messner from Siemens Energy.

[Suggested description] CVE-2024-44573

A stored cross-site scripting (XSS) vulnerability in the VLAN configuration of RELY-PCIe v22.2.1 to v23.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Vulnerability Type: Cross-Site Scripting (XSS).
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-PCIe – 23.1.0.
Attack Type: Remote.
Impact: Code Execution.
CVE Impact: Other (an attacker can store a script for extracting session information inside the web-application).
Attack Vectors: Low-privileged access to the web-service.
Vendor Confirmation: True.
Discoverer: Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2024-44574

RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_conf function.

Vulnerability Type: Incorrect Access Control.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-PCIe – 23.1.0.
Attack Type: Remote.
Impact: Escalation of Privileges.
Attack Vectors: Low privileged access (sys-operator) to the restricted CLI interface via SSH.
Vendor Confirmation: True.
Discoverer: Michael Messner and Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2024-44575

RELY-PCIe v22.2.1 to v23.1.0 does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session.

Vulnerability Type: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 23.1.0.
Attack Type: Remote.
Impact: An attacker can store a script for extracting session information inside the web-application.
Attack Vectors: Previous user interaction needed.
Vendor Confirmation: True.
Discoverer: Benedikt Kühne from Siemens Energy.

[Suggested description] CVE-2024-44577

RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the time_date function.

Vulnerability Type: Incorrect Access Control.
Vendor of Product: System-on-Chip engineering S.L.
Affected Product Code Base: RELY-PCIe – 22.2.1, RELY-PCIe – 23.1.0.
Attack Type: Remote.
Impact: Escalation of Privileges.
Attack Vectors: Low privileged access (sys-operator) to the restricted CLI interface via SSH.
Vendor Confirmation: True.
Discoverer: Michael Messner from Siemens Energy.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.