Trihedral Engineering, a Canada-based company that specializes in developing software for SCADA systems, has patched several remotely exploitable vulnerabilities in its VTScada product.
VTScada, which allows users to develop industrial monitoring and control software, is deployed in North America and Europe in the water and wastewater, oil and gas, power generation, marine, broadcasting, food and beverage, manufacturing, and airport solutions sectors.
According to an advisory published this week by ICS-CERT, a WAP component in VTScada is plagued by three critical and high severity vulnerabilities that can be exploited remotely even by an attacker with low skill.
The flaws are an out-of-bounds read issue that can be leveraged to crash the software (CVE-2016-4523), a path traversal that allows an attacker to access any file (CVE-2016-4532), and an authentication bypass vulnerability that can be exploited to read arbitrary files (CVE-2016-4510).
Trihedral patched the vulnerabilities in version 11.2.02 of the software by removing the affected WAP component altogether.
In a statement published on its website, the vendor clarified that the affected WAP server is an optional component used for basic monitoring and control from older mobile phones. Over the past years, Trihedral introduced alternative remote connectivity features that provide access via a web interface.
The company said it notified the eight customers who had been using this feature and there is no evidence that they have been targeted in attacks exploiting these vulnerabilities. While ICS-CERT’s advisory says the vulnerabilities can be exploited by a low-skilled attacker, Trihedral representatives believe that exploiting them is “neither easy nor obvious.”
“No software is future-proof and new attack vectors emerge, even for systems without internet access. Our permanent development team conducts regular code reviews and uses the latest hacking strategies to find weaknesses,” said Glenn Wadden, President of Trihedral and Chief Software Architect for VTScada. “We at Trihedral thank the ICS-CERT team for their hard work in keeping infrastructure safe.”
Vulnerabilities in KMC Controls Routers
In a different advisory published this week, ICS-CERT described two medium severity issues affecting KMC Controls’ Conquest BACnet routers, products used in the Americas, the Middle East and Southeast Asia in building automation systems.
The vulnerabilities, a cross-site request forgery (CSRF) and a missing authorization issue, have been addressed by the vendor with a firmware update.