09 октября 2020

KLCERT-20-017: Session Information Exposure in ARC Informatique PcVue

Vendor

ARC Informatique

Researcher

Andrey Muravitsky, Senior Security Researcher, Kaspersky ICS CERT

Timeline

Timeline

  • Kaspersky ICS CERT advisory updated

    15 ноября 2023

  • Kaspersky ICS CERT advisory published

    09 октября 2020

Description

An information exposure vulnerability exists in PcVue 12, allowing a non-authorized user to access session data of legitimate users.

Exploitability

Remotely

Attack complexity

Low

User interaction

None

Impact

Exposure of data from sessions corresponding to users connected via WebVue, the WebScheduler or the TouchVue mobile app.

Existence of exploit

PoC

Affected products

ARC Informatique PcVue 12.0.7 (including) through 12.0.23 (excluding)

Mitigation

Vendor mitigation

Update ARC Informatique PcVue software  to v12.0.23 or newer.

The Property Server is part of the Web & Mobile extensions of PcVue. If your system does not requires the use of the Web & Mobile features, you should make sure not to install them. In all cases, Web & Mobile extensions should only be installed on the PcVue Web back end server.

Kaspersky ICS CERT mitigation

  • Set up the border firewall (or a similar network traffic control solution) to allow only authorized parties to send traffic to port 8090/TCP of the system.
  • Use virtual private networks (VPN) to secure remote access to the industrial network. A VPN encrypts network traffic between VPN clients and the VPN server, as well as providing secure authorized access to local resources on the company’s internal network. Traffic encryption protects against traffic eavesdropping attacks, including man-in-the-middle (MITM) and other types of traffic analysis attacks.
  • Compartmentalize your network: implement network segmentation and strict access control for each segment to provide more comprehensive and effective protection against a wide range of threats. Proper network segmentation prevents attackers from reaching critical assets in the event of a network breach.
  • Implement a network intrusion detection system (NIDS). A comprehensive intrusion detection system is capable of detecting unusual network connections and abnormal traffic sent to the device, providing timely information about various suspicious activities and sufficiently reducing the attacker’s chances of successful exploitation.

Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory updated

    15 ноября 2023

  • Kaspersky ICS CERT advisory published

    09 октября 2020