Trihedral Fixes VTScada Vulnerabilities

Wednesday, June 8, 2016 @ 10:06 AM gHale


Trihedral Engineering Ltd. created a new version to mitigate several vulnerabilities in its Trihedral VTScada, according to a report on ICS-CERT.

These vulnerabilities, discovered by an anonymous researcher who reported them to the Zero Day Initiative (ZDI), are remotely exploitable.

RELATED STORIES
GE Fixes Credential Vulnerability
Moxa Issue on Discontinued Product
ABB Fixes PCM600 Vulnerabilities
ESC Data Controllers Vulnerabilities

VTScada versions after Version 8 and before Version 11.2.02 suffer from the issues.

The vulnerability only applies to the WAP interface (typically Port 9201/TCP/IP). Only a small fraction of the installed base of VTScada uses this legacy feature.

An attacker may exploit these vulnerabilities to download or view arbitrary files, or to cause the server to crash and not come back without being manually relaunched.

Trihedral Engineering Ltd. is a Canada-based company that maintains offices in the United States and the United Kingdom.

VTScada (also known as VTS prior to 2013), is a Windows-based SCADA system with a web interface option.

VTScada sees action across chemical, critical manufacturing, communications, energy, food and agriculture, transportation systems, and water and wastewater systems.

Trihedral Engineering said this product sees use primarily in North America and Europe.

In one of the vulnerabilities, an attacker could cause the software read outside the intended buffer, resulting in a crash.

CVE-2016-4523 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, an attacker can replace the path in a request to retrieve any file.

CVE-2016-4532 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

Also, the software does not properly authenticate requests to read arbitrary files.

CVE-2016-4510 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Trihedral Engineering created an updated software version (version 11.2.02) to address these vulnerabilities. This software update is available on Trihedral Engineering FTP site.

Click here to view help file notes for upgrading VTScada/VTS.

If you have any questions or any difficulties with installing one of these updates, call Trihedral Tech Support at 855-887-2232, 902-835-1575, or +44 (0) 1224 258910 for the United Kingdom.