Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Critical Vulnerabilities Found in AUVESY Product Used by Major Industrial Firms

A total of 17 types of vulnerabilities, including many rated critical and high severity, have been found by researchers in the Versiondog data management product made by AUVESY.

A total of 17 types of vulnerabilities, including many rated critical and high severity, have been found by researchers in the Versiondog data management product made by AUVESY.

The vulnerabilities were discovered by employees of industrial cybersecurity firm Claroty and responsibly disclosed to Germany-based AUVESY, which specializes in data management for automated production. The vendor has patched all of the flaws.

The affected product, Versiondog, provides automatic backup and version control capabilities, and it can be integrated with a wide range of industrial systems. According to the vendor’s website, the product has been used by major companies such as Nestle, Coca Cola, Kraft Foods, Merck, and several automotive giants.

“Versiondog runs inside some of the largest industrial enterprises in the world to automatically store software versions, document them, and securely back up data that can be compared to current error-free versions in order to ensure plants run efficiently,” Claroty said in a blog post. “Any disruption or manipulation of the information handled by the product could have devastating consequences to the safety and integrity of an industrial process.”

The vulnerabilities found in Versiondog include issues that can be exploited by remote attackers to bypass authentication, elevate privileges, obtain hardcoded cryptographic keys, execute arbitrary code, manipulate files and data, and cause denial of service.

The security holes have been found in the OS Server API, Scheduler, and WebInstaller components of Versiondog. Six of the vulnerabilities have been assigned a severity rating of critical and nine have been rated high severity.

ICS Cyber Security Conference

According to Claroty, the vendor not only released patches for the vulnerabilities — fixes are included in version 8.1 — but also addressed the root causes of these and other security issues.

Advertisement. Scroll to continue reading.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory to inform organizations about these vulnerabilities.

Claroty has described this as a “success story” in terms of the vulnerability disclosure process, but there have been many situations over the past years where potentially serious flaws were disclosed without patches being available, and vendors only took action after the disclosure attracted the attention of the media.

Claroty reported in August that more than 600 vulnerabilities affecting industrial control system (ICS) products were disclosed in the first half of 2021, more than 70% of which were assigned critical or high severity ratings.

Related: Vulnerability Found in Industrial Remote Access Product From Claroty

Related: Vulnerability Allows Remote DoS Attacks Against Apps Using Linphone SIP Stack

Related: Industrial Firms Informed About Serious Vulnerabilities in Matrikon OPC Product

Related: Flaws in Nagios Network Management Product Can Pose Risk to Many Companies

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...