Trihedral Mitigates VTScada Holes

Tuesday, June 13, 2017 @ 03:06 PM gHale


Trihedral released updated software to mitigate resource consumption, cross-site scripting and information exposure vulnerabilities in its VTScada product, according to a report with ICS-CERT.

VTScada Versions prior to 11.2.26 suffer from the remotely exploitable vulnerability discovered by Karn Ganeshen who has also tested the patch.

RELATED STORIES
Rockwell Fixes PanelView Vulnerability
Digital Canal’s Wind Analysis Updated
Phoenix Broadband Mitigates BMS Hole
GE Updates Multilin SR Fix

Successful exploitation of these vulnerabilities could result in uncontrolled resource consumption, arbitrary code execution, or information exposure.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill level could leverage the vulnerabilities.

In one vulnerability, the client does not properly validate the input or limit the amount of resources that are utilized by an attacker, which can be used to consume more resources than are available.

CVE-2017-6043 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

A cross-site scripting vulnerability may allow JavaScript code supplied by the attacker to execute within the user’s browser.

CVE-2017-6053 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

Some files are exposed within the web server application to unauthenticated users. These files may contain sensitive configuration information.

CVE-2017-6045 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The product sees action in the chemical, critical manufacturing, communications, energy, food and agriculture, transportation systems and water and wastewater systems sectors. It also sees use mainly in North America and Europe,

Bedford, Nova Scotia, Canada-based Trihedral recommends users of an affected version update to the latest version, v11.2.26.

Click here for help file notes for upgrading VTScada/VTS.



Leave a Reply

You must be logged in to post a comment.