Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Infinite Automation Patches Flaws in SCADA/HMI Product

Infinite Automation Systems has released a new version of its Mango Automation product to address a series of vulnerabilities that can be leveraged for various types of malicious attacks.

Infinite Automation Systems has released a new version of its Mango Automation product to address a series of vulnerabilities that can be leveraged for various types of malicious attacks.

Infinite Automation is a Lafayette, Colorado-based company that specializes in human-machine interface (HMI) and supervisory control and data acquisition (SCADA) solutions. The company’s flagship product, Mango Automation, is designed to serve as an end-to-end SCADA/HMI solution, and as a platform for building custom applications.

According to ICS-CERT, Gjoko Krstic of Zero Science Lab and Steven Seeley of Source Incite have independently discovered multiple vulnerabilities affecting Mango Automation versions 2.5.0 through 2.6.0 beta.

Based on CVSS scores assigned by ICS-CERT, the most serious issues are an OS command injection and a cross-site request forgery (CSRF) flaw, which have been assigned the CVE-2015-7901 and CVE-2015-6493 identifiers and a score of 6.3.

Interestingly, according to ICS-CERT, Mango Automation 2.6.0 build 430 patches all the vulnerabilities reported by Seeley and Krstic, except for these CSRF and OS command injection flaws. A new variant of the software that should resolve these issues is expected to be released in December. Until then, users are advised to implement mitigations.

The other problems found by the researchers are unrestricted file upload (CVE-2015-7904), information exposure (CVE-2015-7900, CVE-2015-7902), SQL injection (CVE-2015-7903), and cross-site scripting (CVE-2015-6494) vulnerabilities.

ICS-CERT says exploits for these vulnerabilities, which can be abused even by an attacker with low skill, are publicly available.

Siemens Patches Flaw in RuggedCom Devices

Advertisement. Scroll to continue reading.

Siemens has released firmware updates to address a vulnerability affecting RuggedCom devices running the company’s rugged operating systems ROS and ROX. The issue is an improper ethernet frame padding flaw (CVE-2015-7836) that could lead to data leakage.

“IEEE 802 specifies that packets have a minimum size of 56 bytes. The Ethernet driver is expected to fill the data field with octets of zero for padding when packets are less than 56 bytes. Resident memory and other data are used for padding in some implementations that could cause information leakage,” ICS-CERT explained in an advisory. “This attack is passive; the attacker can only see data that the affected device sent out as part of a packet.”

The flaw, reported by David Formby and Raheem Beyah of Georgia Tech, has been patched with the release of firmware version 4.2.1.

Related Reading: Flaws in Rockwell PLCs Expose Operational Networks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.