Security Advisory IBA-2022-04
Hardcoded credentials
| Publishing Date: | 2022-04-12 |
| Last Update: | 2022-04-12 |
| Tracking ID: | IBA-2022-04 |
| CVSS Base Score: | 2.8 |
| CVSS v3 Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
Summary
An attacker was able to extract hardcoded FTP credentials from the application.
Affected products
ibaPDA
All versions prior to v7.3.13
How do I know that I'm affected
Check the version number in the title of the status application on the system where the server is running.
Customer Actions
Please update to ibaPDA v7.3.13 or higher.
Technical Details
Issue
FTP client component
The FTP client component had hardcoded default credentials for accessing FTP servers that allowed anonymous login.
Acknowledgements
Shell Marine Risk Team
Shell CyberDefence & Risk Operations Penetration Testing team
Christian EP. Wiedemer from Aspin Kemp & Associates Inc.
iba AG recognizes the efforts of those in the security community who help us to improve the security posture of the products and protect customers.
Timeline
| 2022-03-21 | Notified by Aspin Kemp & Associates Inc. |
| 2022-04-12 | New ibaPDA version released |
| 2022-04-12 | Security advisory published |