Miele Professional Patches Vulnerability

Friday, May 19, 2017 @ 09:05 AM gHale


Miele Professional released patches to mitigate a path traversal vulnerability in its PG 85 Series, according to a report with ICS-CERT.

Successful exploitation of this remotely exploitable vulnerability, discovered by Jens Regel of Schneider & Wulf who publicly disclosed it without ICS-CERT coordination, could allow a remote attacker to read or modify sensitive data or files, execute unauthorized code or commands, and possibly cause a system crash.

RELATED STORIES
Schneider Clears Web Studio Hole
Detcon SiteWatch Gateway Vulnerability
Schneider Fixes SoMachine HVAC Issue
Schneider Fills VAMPSET Hole

Miele Professional said the following versions of the PG 85 product series, a large capacity cleaner and disinfector, and their embedded webservers suffer from the issue:
• PG8527, version 2.02, 2.51, 2.52, and 2.54
• PG8528, version 2.02, 2.51, 2.52, and 2.54
• PG8535, version 1.00 and 1.04
• PG8536, version 1.10 and 1.14

The path traversal vulnerability has been identified, which may allow a remote attacker to access sensitive information by using special elements in the pathname to resolve to a location outside of a restricted directory.

CVE-2017-7240 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

The product sees use in the healthcare and public health sectors. It sees action on a global basis.

There are public exploits available. An attacker with low skill level would be able to leverage the vulnerability.

Germany-based Miele Professional issued a press release addressing this vulnerability on March 29.

Miele Professional issued patches for this vulnerability on May 4, 2017. Miele Professional is in the process of contacting all affected users via registered mail.

Users of affected machines can contact Miele Professional at 1-800-991-9380 to schedule service for a software update, which must be performed by a Miele Professional technician.

The following updates are available for affected Miele Professional PG 85 series products:
• PG8527, version 2.02
Update to version 2.12
• PG8527, version 2.51
Update to version 2.61
• PG8527, version 2.52
Update to version 2.62
• PG8527, version 2.54
Update to version 2.64
• PG8528, version 2.02
Update to version 2.12
• PG8528, version 2.51
Update to version 2.61
• PG8528, version 2.52
Update to version 2.62
• PG8528, version 2.54
Update to version 2.64
• PG8535, version 1.00
Update to version 1.10
• PG8535, version 1.04
Update to version 1.14
• PG8536, version 1.10
Update to version 1.20
• PG8536, version 1.14
Update to version 1.24



Leave a Reply

You must be logged in to post a comment.