Tollgrade Fixes LightHouse Holes
Tuesday, July 12, 2016 @ 05:07 PM gHale
Tollgrade created a new version to mitigate vulnerabilities in the Smart Grid LightHouse Sensor Management System (SMS) Software EMS.
Ashish Kamble of Qualys, Inc., who discovered the vulnerabilities, tested the new version to validate it resolves these remotely exploitable vulnerabilities.
LightHouse SMS, versions prior to Version 5.1, Patch 3 suffer from the vulnerabilities.
An attacker that exploits these vulnerabilities may be able to restart the system, brute force a login, or change privileged parameters.
Tollgrade Communications, Inc. is a United States-based company that maintains offices in the United Kingdom and Germany.
The affected product, LightHouse SMS Software, is a web-based distribution monitoring system. LightHouse SMS Software sees action across the energy sector. Tollgrade estimates this product sees use primarily in North America, Europe, and South America.
An attacker can restart the LightHouse SMS Software without authentication.
CVE-2016-5790 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, the content of error messages facilitates a brute force authentication attack.
CVE-2016-5797 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product also has a hole where a low privileged user can access and modify parameters that only an administrator should be able to access.
CVE-2016-5807 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Tollgrade Communications Inc. released updated software, Version 5.1, Patch 3, which resolves these vulnerabilities.
Updated software may be found on the Tollgrade support site.