CyberVision IoT Platform Vulnerability

Tuesday, May 2, 2017 @ 03:05 PM gHale

There is a remotely exploitable code injection vulnerability in CyberVision’s Kaa IoT Platform, according to a report from ICS-CERT.

Kaa IoT Platform, Version 0.7.4, and possibly other versions suffer from the issue and because CyberVision’s Kaa Project has been unresponsive to multiple contact requests from ICS-CERT, there are currently no mitigations for this vulnerability.

Wonderware Clears Historian Client Hole
Certec Updates Ativise Scada Holes
GE Clears Multilin SR Protective Relays Hole
Hyundai Updates Blue Link App

Successful exploitation of this vulnerability, discovered by Jacob Baines from Tenable Network Security, could allow for the creation of files with custom content, movement of files, and execution of arbitrary OS commands.

No known public exploits specifically target this vulnerability. However, it would take an attacker with a low skill level to leverage this vulnerability.

A code injection vulnerability has been identified, which may allow remote code execution.

CVE-2017-7911 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

The product sees use in the commercial facilities, critical manufacturing, food and agriculture, healthcare and public health, and information technology sectors. It also sees action on a global basis.

As a result of the no mitigations forthcoming from Miami-FL-based CyberVision, ICS-CERT said users could take defensive measures to minimize the risk of exploitation of this vulnerability. Users should:
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

Leave a Reply

You must be logged in to post a comment.