GEOVAP Fixes Reliance 4 SCADA/HMI

Thursday, October 25, 2018 @ 03:10 PM gHale

GEOVAP has a new version to mitigate a cross-site scripting vulnerability in its Reliance 4 SCADA/HMI, according to a report with NCCIC.

Successful exploitation of this vulnerability, discovered by Ismail Mert AY AK, could allow an unauthenticated attacker to use HTTP proxy to inject arbitrary Javascript in a specially crafted HTTP request that may reflect it back in the HTTP response.

Advantech Clears WebAccess Hole
Telecrane Fixes F25 Series Vulnerability
GAIN Fixes SAGA1-L Series Holes
Advantech Fixes WebAccess Holes

A SCADA/HMI system designed for the monitoring and control of industrial processes and for building automation, Reliance SCADA Version 4.7.3 Update 3 and prior suffer from the remotely exploitable vulnerability.

This vulnerability could allow an unauthorized attacker to inject arbitrary code.

CVE-2018-17904 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

The product sees use in the critical manufacturing, energy, transportation systems, and water and wastewater systems sector. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

Czech Republic-based GEOVAP released Version 4.8.0, which mitigates the vulnerability. GEOVAP recommends users upgrade existing projects to this version.

GEOVAP also recommends users switch the application to HTTPS to prevent the manipulation of HTTP messages in an HTTP proxy. Changing to HTTPS should help even if Version 4.7.3 Update 3 and prior are still used.

Leave a Reply

You must be logged in to post a comment.