Rexroth Bosch Fixes BLADEcontrol Holes

Wednesday, July 6, 2016 @ 10:07 AM gHale


Rexroth Bosch created a new version to mitigate a SQL injection vulnerability and a cross-site scripting vulnerability in its BLADEcontrol-WebVIS, according to a report with ICS-CERT.

BLADEcontrol-WebVIS, Version 3.0.2 and earlier suffer from the remotely exploitable vulnerability discovered by independent researcher Maxim Rupp.

RELATED STORIES
Siemens SICAM PAS Vulnerabilities
Eaton Fixes ELCSoft Vulnerabilities
Holes in Sierra Wireless Gateways
Meinberg Clears NTP Time Server Issues

The application is vulnerable to a SQL injection vulnerability by performing database operations unintended by the web application designer and, in some instances, can lead to compromise of the database server or lead to remote code execution. Application also fails to validate, filter, or encode user input before returning it to a user’s web client.

Rexroth Bosch is a Germany-based company that maintains offices in 22 countries around the world, including the U.S., UK, Netherlands, Italy, India, Germany, France, Czech Republic, China, and Australia.

The affected product, BLADEcontrol, is a web-based HMI system. BLADEcontrol sees action across the energy sector. Rexroth Bosch estimates that this product sees use in 80 countries.

The application is vulnerable to a SQL injection vulnerability by performing database operations that were unintended by the web application designer and, in some instances, can lead to compromise of the database server or lead to remote code execution.

CVE-2016-4507 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.4.

In addition, the application fails to validate, filter, or encode user input before returning it to a user’s web client.

CVE-2016-4508 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Click here to download the new version of BLADEcontrol-WebVIS.