"Critical Vulnerabilities Expose Parking Management System to Hacker Attacks"
Nearly a dozen vulnerabilities have recently been found in a car parking management system made by Italian company Carlo Gavazzi, which makes electronic control components for building and industrial automation. The flaws were discovered by researchers at industrial cybersecurity firm Claroty in Carlo Gavazzi’s CPY Car Park Server and UWP 3.0 monitoring gateway and controller products. The researchers stated that the impacted UWP product is a web-based application designed for remotely managing building automation, energy management, and car park guidance systems, which provide drivers with information about parking spot availability within parking facilities. The researchers noted that the critical vulnerabilities affecting these products are related to hardcoded credentials, SQL injection, missing authentication, improper input validation, path traversals, as well as several high-severity issues. The researchers noted that these security holes can be exploited to bypass authentication, obtain information, and execute commands, allowing an attacker to take full control of the targeted system. The researchers noted that, fortunately, they are not aware of any UWP devices exposed on the internet, which means an attacker would have to gain access to the targeted network to exploit the vulnerabilities. However, an attacker who can gain access to the targeted network could leverage the vulnerabilities to conduct various activities. The researchers stated that the vulnerabilities are exploitable and can lead to various attack scenarios, including exploiting the monitoring device and faking monitoring data, controlling the nested devices such as remote controllers and sensors in order to disrupt a physical process, and more. The researchers noted that the vendor quickly fixed all the vulnerabilities when reported and that UWP3.0 version 8.5.0.3 and newer and CPY Car Park Server version 2.8.3 and newer address the flaws.
SecurityWeek reports: "Critical Vulnerabilities Expose Parking Management System to Hacker Attacks"