INDAS Patches Path Traversal Hole

Tuesday, October 4, 2016 @ 05:10 PM gHale

INDAS produced new software to mitigate a path traversal vulnerability in its Web SCADA application, according to a report with ICS-CERT.

This vulnerability, discovered by independent researcher Ehab Hussein of IOActive, is remotely exploitable.

Siemens Updates glibc Library Fix
American Auto-Matrix Mitigates Holes
Siemens Clears SCALANCE Vulnerability
Moxa Fixes Active OPC Server Issue

Web SCADA, versions prior to Version 3 suffer from the vulnerability.

Successful exploitation of this vulnerability could allow an attacker to download arbitrary files from the target system.

INDAS is a Serbia-based company that does not maintain offices in other countries.

The affected product, Web SCADA, is a web-based SCADA system. Web SCADA sees action across several sectors including communications, and water and wastewater systems. INDAS estimates this product sees use primarily in Serbia.

External input ends up used to construct paths to files and directories without properly neutralizing special elements within the pathname that could allow an attacker to read arbitrary files on the system.

CVE-2016-8343 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

INDAS has produced new software, InView SCADA, that replaces Web SCADA. INDAS recommends users contact an INDAS sales representative to procure the new software.