Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Critical Vulnerabilities Found in AUVESY Product Used by Major Industrial Firms

A total of 17 types of vulnerabilities, including many rated critical and high severity, have been found by researchers in the Versiondog data management product made by AUVESY.

A total of 17 types of vulnerabilities, including many rated critical and high severity, have been found by researchers in the Versiondog data management product made by AUVESY.

The vulnerabilities were discovered by employees of industrial cybersecurity firm Claroty and responsibly disclosed to Germany-based AUVESY, which specializes in data management for automated production. The vendor has patched all of the flaws.

The affected product, Versiondog, provides automatic backup and version control capabilities, and it can be integrated with a wide range of industrial systems. According to the vendor’s website, the product has been used by major companies such as Nestle, Coca Cola, Kraft Foods, Merck, and several automotive giants.

“Versiondog runs inside some of the largest industrial enterprises in the world to automatically store software versions, document them, and securely back up data that can be compared to current error-free versions in order to ensure plants run efficiently,” Claroty said in a blog post. “Any disruption or manipulation of the information handled by the product could have devastating consequences to the safety and integrity of an industrial process.”

The vulnerabilities found in Versiondog include issues that can be exploited by remote attackers to bypass authentication, elevate privileges, obtain hardcoded cryptographic keys, execute arbitrary code, manipulate files and data, and cause denial of service.

The security holes have been found in the OS Server API, Scheduler, and WebInstaller components of Versiondog. Six of the vulnerabilities have been assigned a severity rating of critical and nine have been rated high severity.

ICS Cyber Security Conference

According to Claroty, the vendor not only released patches for the vulnerabilities — fixes are included in version 8.1 — but also addressed the root causes of these and other security issues.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory to inform organizations about these vulnerabilities.

Advertisement. Scroll to continue reading.

Claroty has described this as a “success story” in terms of the vulnerability disclosure process, but there have been many situations over the past years where potentially serious flaws were disclosed without patches being available, and vendors only took action after the disclosure attracted the attention of the media.

Claroty reported in August that more than 600 vulnerabilities affecting industrial control system (ICS) products were disclosed in the first half of 2021, more than 70% of which were assigned critical or high severity ratings.

Related: Vulnerability Found in Industrial Remote Access Product From Claroty

Related: Vulnerability Allows Remote DoS Attacks Against Apps Using Linphone SIP Stack

Related: Industrial Firms Informed About Serious Vulnerabilities in Matrikon OPC Product

Related: Flaws in Nagios Network Management Product Can Pose Risk to Many Companies

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.