Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Sauter Quickly Patches Flaw in Building Automation Software

A serious vulnerability that allows an attacker to steal files from an affected system has been found by a researcher in a building automation product from Swiss-based Fr. Sauter AG. It took the vendor only 10 days to release a patch.

A serious vulnerability that allows an attacker to steal files from an affected system has been found by a researcher in a building automation product from Swiss-based Fr. Sauter AG. It took the vendor only 10 days to release a patch.

The impacted product, CASE Suite, is designed for handling building automation projects. ICS-CERT says the software is used worldwide, particularly in the critical manufacturing sector.

Gjoko Krstic, a researcher with industrial cybersecurity firm Applied Risk, found that CASE Suite versions 3.10 and prior are affected by a high severity XML external entity (XXE) vulnerability. According to an advisory published by Applied Risk on Friday, the flaw impacts the CASE Components, CASE Sensors and CASE VAV applications.

The security hole is tracked as CVE-2018-17912 and it has been assigned CVSS scores of 7.5 (ICS-CERT) and 8.6 (Applied Risk).

“The application suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack,” Applied Risk said in its advisory. “The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML data file.”

Learn More About Automation Security at SecurityWeek’s ICS Cyber Security Conference

Krstic told SecurityWeek that an attacker can exploit the vulnerability by getting the targeted user to open a specially crafted XML file using a vulnerable version of the CASE Suite software. For instance, the file can be sent via email, and it may not raise too much suspicion as the software includes functionality for saving and opening project or data files with this format.

In another attack scenario, if the attacker already has access to the system, they can place the malicious file anywhere (e.g., the Desktop folder) and it will be automatically loaded when the user browses to that location via the Sauter software. The researcher noted that the application automatically loads XML files found in folders browsed by the user – he described this as dangerous functionality.

Once the malicious XML file is loaded, it allows the attacker to steal any file from the compromised system, including configuration data, personal information, account credentials, and details about the system and the network housing it, Krstic said via email.

The vulnerability can also be exploited to cause the impacted software to enter a denial-of-service (DoS) condition.

It’s not uncommon for researchers to find vulnerabilities in building automation software. However, in this case it took Sauter only 10 days to release a patch after it was informed of the flaw by ICS-CERT on October 15. It often takes vendors hundreds of days to patch security holes in automation products.

Related: Internet Exposure, Flaws Put Industrial Safety Controllers at Risk of Attacks

Related: Power Grid Protection Firm SEL Patches Severe Software Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.