Hole in CAREL’s Unsupported Line

Thursday, January 21, 2016 @ 04:01 PM gHale

CAREL confirmed there is an authorization bypass vulnerability in its PlantVisor application, but it is in a phased-out product PlantVisorEnhanced that no longer receives support, according to a report on ICS-CERT.

This vulnerability, discovered by independent researcher Maxim Rupp, is remotely exploitable.

Advantech Fixes Authentication Hole
Siemens Clears Web Server XSS Hole
Advantech Fixes Multi WebAccess Holes
Siemens Fixes RUGGEDCOM Holes

CAREL said the vulnerability affects the PlantVisorEnhanced version.

An attacker or unauthorized user can refer to the particular file and thus bypass authorization.

CAREL is an Italy-based company that maintains offices in four countries around the world.

The affected product, PlantVisorEnhanced, is a web-based SCADA system. According to CAREL, PlantVisorEnhanced sees action across several sectors including commercial facilities, critical manufacturing and energy. CAREL said these products see use on a global basis.

The input validation vulnerability affects Internet Protocol-connected devices, an unauthorized user can refer to the particular file and thus bypass authorization.

CVE-2015-0867 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

PlantVisorEnhanced ended up replaced by PlantVisorPRO (new model) in 2007.

Users should contact pvcustomercare@carel.com in order to receive the necessary files and details on how to perform the installation to avoid further security issues.