A researcher has discovered some serious vulnerabilities in a SCADA product from Missouri-based building automation and management solutions provider Lynxspring. The product is no longer supported, but it’s still used by companies.
The flaws were found by researcher Maxim Rupp in Lynxspring’s JENEsys building operating system, specifically the BAS Bridge, which bridges the integration between Modbus TCP/RTU and BACnet IP/Ethernet devices.
According to an advisory published by ICS-CERT, the device is affected by four remotely-exploitable vulnerabilities rated as having high or critical severity. One of them, tracked as CVE-2016-8357, allows an attacker with read-only access to send specially crafted commands to the web-based application and make changes within the app.
Another issue, identified as CVE-2016-8378, refers to the storage of cleartext usernames and passwords in the database. Rupp told SecurityWeek that a combination of these two vulnerabilities enables an attacker to obtain user credentials.
A similar flaw, CVE-2016-8361, can be exploited by hackers to access the system without authentication by using a hardcoded username with no password.
Finally, Rupp discovered a cross-site request forgery (CSRF) issue that allows an attacker to carry out various types of actions (e.g. create or delete users) if they can trick a legitimate user into accessing a specially crafted link. The weakness is tracked as CVE-2016-8369.
The vulnerabilities affect BAS Bridge versions 1.1.8 and earlier. The vendor said the flaws will not be patched as the product reached end of life in 2014, and advised customers to switch to the newer Onyxx Bridge, which is not affected by the security holes.
While BAS Bridge is no longer supported, Rupp said he still identified some systems that are accessible from the Internet. “But the fact that they are not directly connected to the Internet does not mean that they are not used in the wild,” he explained.
Lynxspring is not the only building automation company whose products have been analyzed by Rupp. A few weeks ago, ICS-CERT published an advisory describing a couple of high-severity flaws found by the expert in American Auto-Matrix products.