Security Experts:

Connect with us

Hi, what are you looking for?



Infinite Automation Patches Flaws in SCADA/HMI Product

Infinite Automation Systems has released a new version of its Mango Automation product to address a series of vulnerabilities that can be leveraged for various types of malicious attacks.

Infinite Automation Systems has released a new version of its Mango Automation product to address a series of vulnerabilities that can be leveraged for various types of malicious attacks.

Infinite Automation is a Lafayette, Colorado-based company that specializes in human-machine interface (HMI) and supervisory control and data acquisition (SCADA) solutions. The company’s flagship product, Mango Automation, is designed to serve as an end-to-end SCADA/HMI solution, and as a platform for building custom applications.

According to ICS-CERT, Gjoko Krstic of Zero Science Lab and Steven Seeley of Source Incite have independently discovered multiple vulnerabilities affecting Mango Automation versions 2.5.0 through 2.6.0 beta.

Based on CVSS scores assigned by ICS-CERT, the most serious issues are an OS command injection and a cross-site request forgery (CSRF) flaw, which have been assigned the CVE-2015-7901 and CVE-2015-6493 identifiers and a score of 6.3.

Interestingly, according to ICS-CERT, Mango Automation 2.6.0 build 430 patches all the vulnerabilities reported by Seeley and Krstic, except for these CSRF and OS command injection flaws. A new variant of the software that should resolve these issues is expected to be released in December. Until then, users are advised to implement mitigations.

The other problems found by the researchers are unrestricted file upload (CVE-2015-7904), information exposure (CVE-2015-7900, CVE-2015-7902), SQL injection (CVE-2015-7903), and cross-site scripting (CVE-2015-6494) vulnerabilities.

ICS-CERT says exploits for these vulnerabilities, which can be abused even by an attacker with low skill, are publicly available.

Siemens Patches Flaw in RuggedCom Devices

Siemens has released firmware updates to address a vulnerability affecting RuggedCom devices running the company’s rugged operating systems ROS and ROX. The issue is an improper ethernet frame padding flaw (CVE-2015-7836) that could lead to data leakage.

“IEEE 802 specifies that packets have a minimum size of 56 bytes. The Ethernet driver is expected to fill the data field with octets of zero for padding when packets are less than 56 bytes. Resident memory and other data are used for padding in some implementations that could cause information leakage,” ICS-CERT explained in an advisory. “This attack is passive; the attacker can only see data that the affected device sent out as part of a packet.”

The flaw, reported by David Formby and Raheem Beyah of Georgia Tech, has been patched with the release of firmware version 4.2.1.

Related Reading: Flaws in Rockwell PLCs Expose Operational Networks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.


A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.


Schneider Electric in recent months released patches for its EcoStruxure platform and some Modicon programmable logic controllers (PLCs) to address a critical vulnerability that...


Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot...