Progea Fixes Movicon SCADA App

Wednesday, April 16, 2014 @ 10:04 AM gHale

Progea created a new version that mitigates an information disclosure vulnerability in the Movicon application, according to a report on ICS-CERT.

Celil Ünüver of SignalSEC Ltd., the researcher that discovered the remotely exploitable vulnerability, tested the new version to validate it resolves the issue.

Alert: DNP3 Implementation Vulnerability
OSIsoft Mitigates Hole in DNP3 Line
WellinTech Corrects KingSCADA Hole
Siemens Beats the BEAST

Progea Movicon 11.4 prior to Build 1150 suffers from the issue.

The service of the software allows download and upload of files. Some opcode functions could end up triggered remotely to release limited information such as OS version information.

Progea Srl is an Italian-based company.

The affected product, Progea Movicon 11, is an XML-based human-machine interface development system that includes drivers for programmable logic controllers (PLCs). Movicon provides OPC-based connectivity for data transfer, including OPC DA and OPC XML DA services. According to Progea, Movicon sees use across several critical infrastructure sectors including critical manufacturing, energy, and water and wastewater systems.

Progea said this primarily sees use in Europe, India, and the United States.

TCPUploader module listens on Port 10651/TCP for incoming connections. Exploitation of this vulnerability could allow a remote unauthenticated user access to release OS version information. While this is a minor vulnerability, it represents a method for further network reconnaissance.

CVE-2014-0778 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

No known public exploits specifically target this vulnerability. However, an attacker with a moderate skill would be able to exploit this vulnerability.

Progea has updated and fixed the vulnerability in Movicon Version 11.4.1150. This is available as a download from the Progea Technical Support site.

Users must register on the Progea web site to download this new version.

Leave a Reply

You must be logged in to post a comment.