Infinite Automation Systems has released a new version of its Mango Automation product to address a series of vulnerabilities that can be leveraged for various types of malicious attacks.
Infinite Automation is a Lafayette, Colorado-based company that specializes in human-machine interface (HMI) and supervisory control and data acquisition (SCADA) solutions. The company’s flagship product, Mango Automation, is designed to serve as an end-to-end SCADA/HMI solution, and as a platform for building custom applications.
According to ICS-CERT, Gjoko Krstic of Zero Science Lab and Steven Seeley of Source Incite have independently discovered multiple vulnerabilities affecting Mango Automation versions 2.5.0 through 2.6.0 beta.
Based on CVSS scores assigned by ICS-CERT, the most serious issues are an OS command injection and a cross-site request forgery (CSRF) flaw, which have been assigned the CVE-2015-7901 and CVE-2015-6493 identifiers and a score of 6.3.
Interestingly, according to ICS-CERT, Mango Automation 2.6.0 build 430 patches all the vulnerabilities reported by Seeley and Krstic, except for these CSRF and OS command injection flaws. A new variant of the software that should resolve these issues is expected to be released in December. Until then, users are advised to implement mitigations.
The other problems found by the researchers are unrestricted file upload (CVE-2015-7904), information exposure (CVE-2015-7900, CVE-2015-7902), SQL injection (CVE-2015-7903), and cross-site scripting (CVE-2015-6494) vulnerabilities.
ICS-CERT says exploits for these vulnerabilities, which can be abused even by an attacker with low skill, are publicly available.
Siemens Patches Flaw in RuggedCom Devices
Siemens has released firmware updates to address a vulnerability affecting RuggedCom devices running the company’s rugged operating systems ROS and ROX. The issue is an improper ethernet frame padding flaw (CVE-2015-7836) that could lead to data leakage.
“IEEE 802 specifies that packets have a minimum size of 56 bytes. The Ethernet driver is expected to fill the data field with octets of zero for padding when packets are less than 56 bytes. Resident memory and other data are used for padding in some implementations that could cause information leakage,” ICS-CERT explained in an advisory. “This attack is passive; the attacker can only see data that the affected device sent out as part of a packet.”
The flaw, reported by David Formby and Raheem Beyah of Georgia Tech, has been patched with the release of firmware version 4.2.1.
Related Reading: Flaws in Rockwell PLCs Expose Operational Networks