Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Infinite Automation Patches Flaws in SCADA/HMI Product

Infinite Automation Systems has released a new version of its Mango Automation product to address a series of vulnerabilities that can be leveraged for various types of malicious attacks.

Infinite Automation Systems has released a new version of its Mango Automation product to address a series of vulnerabilities that can be leveraged for various types of malicious attacks.

Infinite Automation is a Lafayette, Colorado-based company that specializes in human-machine interface (HMI) and supervisory control and data acquisition (SCADA) solutions. The company’s flagship product, Mango Automation, is designed to serve as an end-to-end SCADA/HMI solution, and as a platform for building custom applications.

According to ICS-CERT, Gjoko Krstic of Zero Science Lab and Steven Seeley of Source Incite have independently discovered multiple vulnerabilities affecting Mango Automation versions 2.5.0 through 2.6.0 beta.

Based on CVSS scores assigned by ICS-CERT, the most serious issues are an OS command injection and a cross-site request forgery (CSRF) flaw, which have been assigned the CVE-2015-7901 and CVE-2015-6493 identifiers and a score of 6.3.

Interestingly, according to ICS-CERT, Mango Automation 2.6.0 build 430 patches all the vulnerabilities reported by Seeley and Krstic, except for these CSRF and OS command injection flaws. A new variant of the software that should resolve these issues is expected to be released in December. Until then, users are advised to implement mitigations.

The other problems found by the researchers are unrestricted file upload (CVE-2015-7904), information exposure (CVE-2015-7900, CVE-2015-7902), SQL injection (CVE-2015-7903), and cross-site scripting (CVE-2015-6494) vulnerabilities.

Advertisement. Scroll to continue reading.

ICS-CERT says exploits for these vulnerabilities, which can be abused even by an attacker with low skill, are publicly available.

Siemens Patches Flaw in RuggedCom Devices

Siemens has released firmware updates to address a vulnerability affecting RuggedCom devices running the company’s rugged operating systems ROS and ROX. The issue is an improper ethernet frame padding flaw (CVE-2015-7836) that could lead to data leakage.

“IEEE 802 specifies that packets have a minimum size of 56 bytes. The Ethernet driver is expected to fill the data field with octets of zero for padding when packets are less than 56 bytes. Resident memory and other data are used for padding in some implementations that could cause information leakage,” ICS-CERT explained in an advisory. “This attack is passive; the attacker can only see data that the affected device sent out as part of a packet.”

The flaw, reported by David Formby and Raheem Beyah of Georgia Tech, has been patched with the release of firmware version 4.2.1.

Related Reading: Flaws in Rockwell PLCs Expose Operational Networks

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.