ALC Mitigation Plan for Product Holes

Tuesday, August 22, 2017 @ 04:08 PM gHale


Automated Logic Corporation (ALC) is offering a mitigation plan to help ward off multiple vulnerabilities in its WebCTRL and i-VU, SiteScan, according to a report with ICS-CERT.

The vulnerabilities include an unquoted search path or element; improper limitation of a pathname to a restricted directory (better known as a path traversal, and an unrestricted upload of file with dangerous type.

RELATED STORIES
SpiderControl Fixes SCADA Web Server
SpiderControl MicroBrowser Fixed
Marel Updates Food Processing Systems
Philips Clears Portal Vulnerabilities

The following versions of WebCTRL, i-Vu, SiteScan Web, building automation platforms, suffer from the issues:
• ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior
• ALC WebCTRL, SiteScan Web 6.1 and prior
• ALC WebCTRL, i-Vu 6.0 and prior
• ALC WebCTRL, i-Vu, SiteScan Web 5.5  and prior
• ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior

Successful exploitation of these vulnerabilities, discovered by Gjoko Krstic from Zero Science Lab, could allow an authenticated user to elevate his or her privileges to execute arbitrary code on the system.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

An unquoted search path vulnerability may allow a non-privileged local attacker to change files in the installation directory and execute arbitrary code with elevated privileges.

CVE-2017-9644 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.

In addition, an authenticated attacker may be able to overwrite files used to execute code. This vulnerability does not affect version 6.5 of the software.

CVE-2017-9640 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

Also, an authenticated attacker may be able to upload a malicious file allowing the execution of arbitrary code.

CVE-2017-9650 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.3.

The products see use mainly in the commercial facilities sector. They also see action on a global basis.

Kennesaw, Georgia-based ALC provides support for WebCTRL, i-Vu, SiteScan Web versions 6.0 and greater. Those users using prior versions, including 5.5 and 5.2, must upgrade to supported versions in order to install these mitigation patches.

ALC applications should always be installed and maintained in accordance with the guidelines.

In addition ALC released the following patches, which address these vulnerabilities:
• WebCTRL 6.0, Cumulative Patch #13
• WebCTRL 6.1, Cumulative Patch  #7
• WebCTRL 6.5, Cumulative Patch #7 + WS65_Security_Update2.update
These patch releases may be obtained on the ALC accounts web site or calling Technical Support at 770-429-3002

• i-Vu 6.0, Cumulative Patch #13
• i-Vu 6.5, Cumulative Patch #7 + WS65_Security_Update2.update
The patch release may be obtained by calling Technical Support at 800-277-9852

• SiteScan Web Version 6.1, Cumulative Patch  #7
• SiteScan Web Version 6.5, Cumulative Patch #7 + WS65_Security_Update2.update
These patches may be obtained by contacting Liebert Services at 1-800-543-2378.



Leave a Reply

You must be logged in to post a comment.