Talos Vulnerability Report

TALOS-2022-1461

Bachmann Visutec GmbH Atvise License registration information disclosure vulnerability

June 15, 2022
CVE Number

CVE-2022-21184

Summary

An information disclosure vulnerability exists in the License registration functionality of Bachmann Visutec GmbH Atvise 3.5.4, 3.6 and 3.7. A plaintext HTTP request can lead to a disclosure of login credentials. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

Tested Versions

Bachmann Visutec GmbH Atvise 3.5.4
Bachmann Visutec GmbH Atvise 3.6
Bachmann Visutec GmbH Atvise 3.7

Product URLs

Atvise - http://www.atvise.com

CVSSv3 Score

5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

Details

The Atvise scada software package is a cross-platform solution for managing scada networks.

While registering the Atvise software, the user has to enter the login and password for the Atvise.com website account into the client application. These credentials are then sent via plaintext HTTP Post request to www.atvise.com. An attacker able to man-in-the-middle the connection could steal these credentials and use them to log into the Atvise website and download software and licenses. There is no impact to the machine running the client component.

Vendor Response

The vendor has provided an updated version at the following URL: https://customer.atvise.com/de/component/phocadownload/category/116-atvise-3-7

Timeline

2022-02-02 - Initial vendor contact
2022-02-16 - Vendor Disclosure
2022-06-15 - Public Release
2022-06-15 - Vendor Patch Release

Credit

Discovered by Martin Zeiser of Cisco Talos.