CVE-2021-34563 : Security Advisory and Response

In PEPPERL+FUCHS WirelessHART-Gateway versions 3.0.8 and 3.0.9, a missing HttpOnly attribute in a cookie allows client-side JavaScript to read or set its value.

Understanding CVE-2021-34563

This Common Vulnerabilities and Exposures (CVE) record highlights a vulnerability in WirelessHART-Gateway versions 3.0.8 and 3.0.9 that compromises cookie security.

What is CVE-2021-34563?

The vulnerability in WirelessHART-Gateway allows the alteration of a cookie's value by client-side JavaScript due to the absence of the HttpOnly flag.

The Impact of CVE-2021-34563

With a CVSS base score of 3.3, this low-severity vulnerability requires user interaction for exploitation and affects confidentiality and integrity.

Technical Details of CVE-2021-34563

This section delves into the specifics of the vulnerability in WirelessHART-Gateway versions 3.0.8 and 3.0.9.

Vulnerability Description

The HttpOnly flag missing in a cookie enables JavaScript to read or modify its value, posing a security risk.

Affected Systems and Versions

The impacted products include WHA-GW-F2D2-0-AS-Z2-ETH and WHA-GW-F2D2-0-AS-Z2-ETH.EIP versions 3.0.8 and 3.0.9.

Exploitation Mechanism

Exploiting this vulnerability requires user interaction, posing a threat to confidentiality and integrity.

Mitigation and Prevention

To address CVE-2021-34563, certain measures can be taken to enhance security.

Immediate Steps to Take

Implement external protective measures and minimize network exposure to safeguard affected products. Ensure these products are isolated from the Internet and use secure remote access methods like VPNs.

Long-Term Security Practices

Regular security audits, monitoring, and employee training on secure coding practices can prevent similar vulnerabilities.

Patching and Updates

As of now, there are no available updates to address this vulnerability in WirelessHART-Gateway versions 3.0.8 and 3.0.9.