Infinite Fixes Mango Vulnerabilities
Thursday, October 29, 2015 @ 11:10 AM gHale
Infinite Automation Systems created a new version to mitigate vulnerabilities in its Mango Automation application, according to a report on ICS-CERT.
Researchers Steven Seeley of Source Incite and Gjoko Krstic of Zero Science Lab, who independently discovered the holes, tested the new version to validate it resolves the vulnerabilities, except for the cross-site request forgery.
These remotely exploitable vulnerabilities have known publicly available exploits.
Mango Automation, Version 2.5.0 through Version 2.6.0 beta (builds prior to 430) suffer from the issues.
Successful exploitation of these vulnerabilities may allow a remote attacker to compromise the confidentiality, integrity, and availability of the system.
Infinite Automation Systems has its headquarters in Lafayette, CO.
The affected product, Mango Automation, is a centralized web-based SCADA/HMI and data acquisition software. Mango Automation sees action across several sectors including commercial facilities, critical manufacturing, food and agriculture and energy. Infinite Automation Systems said these products see use on a worldwide basis.
In one vulnerability, improper verification of uploaded image files allows arbitrary files to upload, which may allow for the execution of malicious JSP script files.
CVE-2015-7904 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.7.
An authenticated user can issue any OS commands not properly sanitized, which could allow for OS command injection and cross-site request forgery attacks.
CVE-2015-7901 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.
The application has debugging enabled by default, which automatically updates a publicly available status page when system exceptions occur with a description of the exception and details about session attributes. An attacker could send a malicious URL to a logged in user to instigate a system exception to gather information about the logged in user.
CVE-2015-7900 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.
The application does not verify SQL queries via HTTP requests, allowing the issuance of arbitrary SQL commands.
CVE-2015-7903 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.7.
The application does not verify HTTP requests.
CVE-2015-6493 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.
The application fails to properly sanitize user-supplied input, which could allow a remote attacker to execute arbitrary code in a user’s browser.
CVE-2015-6494 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.
Error messages for failed logon attempts contain information that could end up used by an attacker.
CVE-2015-7902 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
Exploits that target these vulnerabilities are publicly available. In addition, an attacker with a low skill would be able to exploit these vulnerabilities.
Infinite Automation Systems released a new version of the Mango Automation application, Version 2.6.0 (build 430), which addresses all but two of the identified vulnerabilities — OS command injection and cross-site request forgery vulnerabilities. Infinite Automation Systems is working to develop a new version that addresses these remaining two vulnerabilities, expected in December.
Infinite Automation Systems offers the following interim mitigation for the cross-site request forgery vulnerability:
• The REST API can end up disabled by setting rest.enabled to false in the env.properties file and restarting the Mango Automation software. Disabling the REST API will disable the following features: User Administration, Brewer’s Dashboard Module, Data Point Details, View Module, Excel Reports Module, and Custom Dashboards Module.
Click here for Infinite Automation Systems new version of Mango Automation application.