-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2020-033
Product: Airleader Master / Airleader Easy
Manufacturer: Airleader WF Steuerungstechnik GmbH
Affected Version(s): <= 6.21
Tested Version(s): 6.21
Vulnerability Type: Default user/password and exposed Tomcat manager
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2020-09-11
Solution Date: 2020-xx-xx
Public Disclosure: 2020-10-30
CVE Reference: CVE-2020-26509, CVE-2020-26510
Author of Advisory: Zoellner Matthias, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Airleader Master and Airleader Easy are modules for controlling compressors. The devices are hardware units which should improve the effectivness of compressor drives by various energy saving methods. They also provide a webinterface for monitoring and controlling.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The software is vulnerable to the following:
1. Using weak default credentials for the webinterface:
	<Produkt>		:	<User>		<Password>
	Airleader Master	: 	airleader	airleader
	Airleader Easy		: 			12345

2. Exposing the Tomcat Server Manager to the network:
	The Manger is per default reachable at httpx://<ip>/manager/html
	This is also valid for several DEMO applications.

3. Using weak default credentials for the Tomcat Manager:
					airleader	airleader
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):
To reproduce follow those steps:
Open URL to reach the webinterface:
http://<IP>/<PATH>/admin/login.jsp?show=login

URL for login prompt of Tomcat:
http://<IP>/manager/html/



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vendor has not yet released a security update.
Unique credentials should be used, the user should be reminded to change the passwords and the Tomcat Manager interface should not be reached publicly/via internet.
Furthermore, a modification of existing systems is necessary to change at least the default credentials.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-08-28: Vulnerability discovered
2020-09-11: Vulnerability reported to manufacturer
2020-09-21: Contact retry
2020-10-30: Disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Airleader Modules
    http://www.airleader.biz/index.jsp?lang=de&site=produkte
[2] SySS Security Advisory SYSS-2020-033
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-033.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by 

Daniel Isern of SySS GmbH
E-Mail: daniel.isern@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Daniel_Isern.asc
Key Fingerprint: 6BCD 867F C5B2 F2C8 9844 C3A3 7055 F389 B54C BC07

Matthias Zoellner of SySS GmbH
E-Mail: matthias.zoellner@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Zoellner.asc
Key Fingerprint: 36CD 6245 CBBF DA3C 14B5  5C33 B6E2 E969 CDB2 BC91

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEENs1iRcu/2jwUtVwztuLpac2yvJEFAl+a5HgACgkQtuLpac2y
vJHl8hAAtt55T7aMaYsjE10U35TJ8LlEgzgwyc/c6hdF82DyCblS8952eNm5diAl
F3UalsVuPvrEYkU9YIYtNGjfJUiiyHOcj/VHWLS//B+j72EQKeo5YvEaPJRWBJhM
NONX//C+pWk22D4ac6nwKaTkwpKJkNmPf8MbwYqbTlkkNqrFQ8159auFbxDhpk9J
7ZIk9ay1LW0pe6dlehr7lz9jVYxvFsqYKXQLj5Q56TIeKWihQcgdNd6pnvSVb3X6
JUPYDgtH/mX9vaWRhlZg/zAxty5arBmne7TdWkkgCzlo2RQZFwp2CFcvkR/Sd7Tk
r1DlqPZXkV+RtSM5jTrIA8U4jUO0D/AvjyW4PeIW07rFmr3Ei4KXmFiNogdb7MAx
bxX0R33SSFO8rs7FnSyjJMdLhAD+Z2+bg/G6Ju9s8zLr7szAoPuy30E7dJ+Az5Z1
MFAJRvzD3LitMJFOKPKz9vXa+QenDdhss0sZKbstc2801riZ5bOj6dgTe+Vcf+Qa
Kktn0NMPeivVCQFvvpaA4Pddu2xmNy9dGJcs1XqljbP1dYWxlyVzYTpPJzFYaiYB
HhpIPcUyHVmRj34LYoAANJqgQIOeEFdANL+LasBJNH7r4t9rGk7PkSS5cpIcdMoO
hzixWm2zQia0AyDrf5fya9y+fHGEwwOLd1xLwPrOFqieEeyT6SM=
=SuwV
-----END PGP SIGNATURE-----