Sauter Fixes moduWeb Vision Holes

Wednesday, February 3, 2016 @ 02:02 PM gHale

Sauter created new firmware to mitigate three vulnerabilities in its moduWeb Vision application, according to a report on ICS-CERT.

The researchers, Martin Jartelius and John Stock of Outpost24 who discovered the issues, tested the new firmware version to validate that it resolves the remotely exploitable vulnerabilities.

Westermo Updates Switch Vulnerability
Rockwell Fixes PLC Buffer Overflow
MICROSYS Fixes Memory Corruption Hole
Hospira Buffer Overflow Vulnerability

EY-WS505F0x0 modoWeb Vision Versions 1.5.5 and older suffer from the vulnerabilites.

Two of the vulnerabilities pertain to vulnerabilities in the insecure storage and transmission of credentials for the application. These vulnerabilities could allow a malicious party to bypass the authentication mechanisms of the application and allow for unauthorized use of the system. Leaked credentials end up securely hashed, but the same method sees use for storage of authentication tokens, providing attackers a possibility of privilege escalation.

Cross-site scripting presents one entry point for attackers to access and manipulate control systems networks. It takes advantage of web servers that return dynamically generated web pages. This potentially allows the attacker to redirect the web page to a malicious location, hijack the client-server session, engage in network reconnaissance and plant backdoor programs.

Cross-site scripting vulnerabilities in the platform are persistent and located in modules primarily exposed to administrators.

Sauter is a Switzerland-based company that maintains offices in several countries around the world.

The affected product, Sauter moduWeb Vision, is an embedded, web-based SCADA system for HVAC. Sauter officials said moduWeb Vision sees action across several sectors including commercial facilities. Sauter estimates these products see use primarily in Europe and Americas with a small percentage in the United States and Asia.

The moduWeb Vision stores credential elements in an encrypted format that imply the same encryption scheme as the authentication mechanism, allowing for use of a pass-the-hash attack against the system. This would allow an attack to use these elements to bypass authentication and use the system without authorization.

CVE-2015-7914 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.

The moduWeb Vision application transmits information in plain text including credentials. This allows malicious parties with access to the transmitted data to obtain credentials and bypass authentication.

CVE-2015-7915 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.

The web server of the moduWeb Vision application allows for certain queries that would allow an attacker to obtain and change protected information from the system. A malicious user could add or modify accounts and credentials or potentially redirect other users of the application to malicious locations or sites.

CVE-2015-7916 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.4.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

A new firmware version to mitigate these vulnerabilities released and users can download and install it using the Sauter commissioning tool CASE Sun.