LCDS Fixes Path Traversal Hole

Friday, March 24, 2017 @ 03:03 PM gHale


LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME updated its firmware to mitigate a path traversal vulnerability in its LAquis SCADA product, according to a report with ICS-CERT.

LAquis SCADA software, versions prior to version 4.1.0.3237 suffer from the remotely exploitable vulnerability discovered by Karn Ganeshen, working with Trend Micro’s Zero Day Initiative (ZDI).

RELATED STORIES
Siemens Updates SIMATIC Fixes
Moxa Updates NPort Fix
Rockwell Fixes FactoryTalk Hole
Rockwell Clears Workbench Vulnerability

Successful exploitation of this vulnerability could allow an unprivileged, malicious attacker to access files remotely.

The path traversal vulnerability exists when an application does not neutralize external input to ensure users are not calling for absolute path sequences outside of their privilege level.

CVE-2017-6020 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The LAquis SCADA product sees action in the chemical, commercial facilities, energy, food and agriculture, transportation systems, water and wastewater systems sectors. It mainly sees use in South America.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level would be able to exploit the vulnerability.

Joinville-SC, Brazil-based LCDS recommends users update to the latest firmware, version 4.1.0.3237.



Leave a Reply

You must be logged in to post a comment.