Saia Burgess Controls Fixes Hole
Tuesday, December 1, 2015 @ 05:12 PM gHale
Saia Burgess Controls created new firmware version to mitigate a hard-coded password vulnerability in its family of PCD controllers, according to a report on ICS-CERT.
Independent researcher Artyom Kurbatov, who found the vulnerability, tested the new firmware version to validate it resolves the remotely exploitable vulnerability.
The vulnerability affects the following Saia PCD Controllers:
• PCD1.M0xx0/M2xx0, PCD2.M5xx0, PCD3.Mxxx0, PCD3.Mxx60, PCD7.D4xxxT5F, PCD7.D4xxV, PCD7.D4xxD, PCD7.D4xxWTPF versions prior to 1.24.50
• PCD3.T665, PCD3.T666 versions prior to 1.24.41
• PCD7.D4xxxT5F versions prior to 1.24.50
• PCD7.D4xxV VGA MB Panels versions prior to 1.24.50
• PCD7.D4xxD SVGA MB Panels versions prior to 1.24.50
• PCD7.D4xxWTPF WVGA MB Panels versions prior to 1.24.50
An attacker who exploits this vulnerability would have administrative access to the target device and resources.
Saia Burgess Controls is a Switzerland-based company that maintains offices worldwide.
The affected products, the Saia PCD controller family, are programmable controllers for measuring, regulation, and control tasks. The Saia PCD controller family sees action across several sectors including the chemical and energy sectors. These products see use on a global basis.
Undocumented hard-coded credentials allow FTP access to the device.
CVE-2015-7911 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Saia Burgess Controls has released a new firmware version, Version 1.24.50, to mitigate the reported vulnerability.
Saia Burgess Controls provides more information and instructions in their own customer notification document on their web site.