Sauter Won’t Update NovaWeb Hole

Thursday, December 8, 2016 @ 04:12 PM gHale

Sauter will not mitigate an authentication bypass vulnerability in its NovaWeb web HMI application since the company discontinued the product in 2013 and is no longer supported, according to a report with ICS-CERT.

This vulnerability, discovered by independent researcher Maxim Rupp, is remotely exploitable.

RELATED STORIES
Moxa Clears Session Hijack Holes
Locus Energy Clears Vulnerability
Tesla Fixes Gateway ECU Vulnerability
Siemens Mitigates SICAM PAS Issues

NovaWeb web HMI, all versions suffer from the issue.

An attacker can bypass authentication by modifying values in a cookie.

Sauter is a Germany-based company that also maintains an office in Switzerland.

The affected product, novaWeb web HMI, is a web-based HMI system. Sauter officials said novaWeb sees action in the commercial facilities and critical manufacturing sectors. Sauter estimates this product sees use primarily in Europe.

Essentially, the application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure the cookie is valid for the associated user.

CVE-2016-5782 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.2.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.



Leave a Reply

You must be logged in to post a comment.