Pilz Fixes Safety Controller Hole

Monday, December 3, 2018 @ 05:12 PM gHale

Pilz released a fix to a vulnerability in in its PNOZmulti Configurator software that could allow a local attacker to read sensitive data in clear-text, said Gjoko Krstic, a researcher at Applied Risk.

The software is used to configure safety controllers, providing the user with the ability to modify elements such as IP addresses, download and upload project files and run other setup functions.

Holes in INVT Electric VT-Designer
AVEVA Fixes Vijeo Citect, Citect SCADA Hole
Schneider Mitigations for Modicon M221 Hole
Teledyne DALSA Updates Sherlock Issue

The tool can be found on engineering workstations used to configure safety controllers. The software is commonly used in industries such as oil and gas, manufacturing, chemicals, and power.

Upon exploitation of the software, attackers could garner the ability to access system passwords, which can be used to alter configuration files in the system.

The vulnerability has been discovered and validated on Pilz PNOZmulti Configurator 10.8. Older versions are affected too.

There are currently no known exploits for this vulnerability.

Applied Risk worked with Pilz and a fix has been issued by the vendor.

The flaw has been given a CVSSv3 (Common Vulnerability Scoring System) of 4.4.

Leave a Reply

You must be logged in to post a comment.