Insecure permissions in REHAU Group Unlimited Polymer Solutions implementation of Carel pCOWeb configuration tool exposes heating and temperature control systems to remote attackers.

About Carel pCOWeb

The pCOWeb card is used to interface the pCO Sistema to networks that use the HVAC protocols based on the Ethernet physical standard, such as BACnet IP, Modbus TCP/IP and SNMP.

The card also features an integrated Web-Server, which both contains the HTML pages relating to the specific application and allows a browser to be used for remote system management.

The embedded LINUX operating system allows applications (plug-ins) to be added, developed directly by users to meet their own requirements.

Unauthenticated access to Rehau pCOWeb web interface

Rehau devices that use pCOWeb service are accessible on various ports, but most common configurations were using 8080, 80, 443, 7777, 9002 and 10000. By typing in a web browser the http://<target ip>:<port>/http/ you will we redirected to the

http://<target ip>:<port>/http/default.html

and receive full unauthenticated access to the configuration and service interface.

Directory listing and source code disclosure

By crawling the pCOWeb web interface other sensitive directories like scripts and admin can be accessed:

And the files inside the script directory are disclosing the source code like in the example below:

Attack surface

Using Shodan a number of 31 vulnerable devices were discovered, most of them in Hungary and Romania.

Remedy and risk mitigation

Since in the BIOS v6.27 / BOOT v5.00 / Web version v2.2 of the web interface there was no way to enable user authentication, the only recommendations are to deny any access to the pCOWeb service ports from WAN (if port-forwarding is enabled to allow remote configuration, then is a good idea to disable port-forwarding to the pCOWeb devices).