LCDS Mitigates Vulnerabilities

Tuesday, October 16, 2018 @ 06:10 PM gHale

LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME has a new version to mitigate multiple vulenrabilities in its LAquis SCADA, according to a report from NCCIC.

The vulnerabilities are an untrusted pointer dereference, out-of-bounds read, integer overflow to buffer overflow, path traversal, out-of-bounds write, and stack-based buffer overflow.

RELATED STORIES
NUUO Clears Video Recorder Holes
NUUO Fixes CMS Vulnerabilities
Delta Fixes Industrial Automation TPEditor
Vulnerabilities in XMeye P2P Cloud Server

Successful exploitation of these remotely exploitable vulnerabilities, discovered by Mat Powell of Trend Micro Zero Day Initiative, rgod of 9SG Security Team, Esteban Ruiz (mr_me) of Source Incite, b0nd @garage4hackers, and Ashraf Alharbi (Ha5ha5hin) working with Trend Micro’s Zero Day Initiative, could allow an attacker to execute arbitrary code, crash the system, or write controlled content to the target system.

Industrial automation software, Smart Security Manager Versions 4.1.0.3870 and prior suffer from the vulnerabilities.

In one issue, an untrusted pointer dereference vulnerability has been identified, which may allow remote code execution.

CVE-2018-17893 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.6.

In addition, several out-of-bounds read vulnerabilities have been identified, which may allow remote code execution.

CVE-2018-17895 is the case number assigned to these vulnerabilities, which has a CVSS v3 base score of 7.3.

Also, several integer overflow to buffer overflow vulnerabilities have been identified, which may allow remote code execution.

CVE-2018-17897 is the case number assigned to these vulnerabilities, which has a CVSS v3 base score of 5.6.

There was also a path traversal vulnerability identified, which may allow remote code execution.

CVE-2018-17899 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

When processing project files the application fails to sanitize user input prior to performing write operations on a stack object, which may allow an attacker to execute code under the current process.

CVE-2018-17901 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

Several stack-based buffer overflow vulnerabilities have been identified, which may allow remote code execution.

CVE-2018-17911 is the case number assigned to these vulnerabilities, which has a CVSS v3 base score of 7.8.

The product sees use mainly in the chemical, commercial facilities, energy, food and agriculture, transportation systems, and water and wastewater systems sectors. The product also sees action in South America.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Brazil-based LCDS recommends users update to Version 4.1.0.4114.



Leave a Reply

You must be logged in to post a comment.