06 июля 2021

17-334-02: Уязвимость XSS Geovap Reliance SCADA позволяет нарушителю вставить произвольный JavaScript код для чтения и записи файлов

Vendor

GEOVAP

Timeline

Timeline

  • Advisory updated

    01 июля 2021

  • Advisory published

    02 июля 2021

  • Patched

    03 июля 2021

  • Vendor confirmation

    04 июля 2021

  • Vendor informing

    05 июля 2021

Description

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

CVSS v3

0.0

 (CVSS:3.6.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)


Exploitability

Remotely

Impact

Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript in a specially crafted URL request that may allow for read/write access.

Existence of exploit

Unknown

Affected products

Reliance SCADA Version 4.7.3 Update 2 and prior.

Mitigations

KL ICS CERT

Primary

Install firmware update V3.0.53 or newer

2 Siemens SIMATIC S7-300 CPUs

  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
Generic

ICS CERT

Primary

Install firmware update V3.0.53 or newer

2 Siemens SIMATIC S7-300 CPUs

  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
  • Siemens SIMATIC NET CP 343-1 Advanced (6GK7343-1GX31-0XE0) firmware update V3.0.33
Generic

References

Timeline

  • Advisory updated

    01 июля 2021

  • Advisory published

    02 июля 2021

  • Patched

    03 июля 2021

  • Vendor confirmation

    04 июля 2021

  • Vendor informing

    05 июля 2021