NUUO Fixes CMS Vulnerabilities

Thursday, October 11, 2018 @ 05:10 PM gHale

NUUO has a fix for multiple vulnerabilities in its CMS software management platform, according to a report with NCCIC.

The vulnerabilities are a use of insufficiently random values, use of obsolete function, incorrect permission assignment for critical resource, and use of hard-coded credentials.

RELATED STORIES
Delta Fixes Industrial Automation TPEditor
Vulnerabilities in XMeye P2P Cloud Server
Fuji Electric Fixes Energy Savings Estimator
Siemens Clears ROX II Vulnerabilities

Successful exploitation of theses remotely exploitable vulnerabilities, discovered by Pedro Ribeiro, could result in arbitrary remote code execution.

A central software management platform, CMS Versions 3.1 and prior suffer from the issues.

In one vulnerability, the application uses a session identification mechanism that could allow attackers to obtain the active session ID, which could allow arbitrary remote code execution.

CVE-2018-17888 is the case number assigned to this vulnerability, which has CVSS v3 base score of 9.8.

In addition, the application uses insecure and outdate software components for functionality, which could allow arbitrary code execution.

CVE-2018-17890 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Also, the application implements a method of user account control that causes standard account security features to not be utilized as intended, which could allow user account compromise and may allow for remote code execution.

CVE-2018-17892 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

In addition, the application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.

CVE-2018-17894 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The product sees use in the commercial facilities, financial services, government facilities, healthcare and public health, and transportation systems sectors. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Taiwan-based NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available.



Leave a Reply

You must be logged in to post a comment.