Automated Logic Corporation (ALC) patched an XML external entity (XXE) vulnerability in its ALC WebCTRL, Liebert SiteScan and Carrier i-VU product lines, according to a report with ICS-CERT.
The remotely exploitable vulnerability, if exploited, could lead to the disclosure of confidential data, denial of service (DoS), spoofing of a request from an upstream device, port scanning from the perspective of the machine where the parser is located, and other system impacts.
The following ALC web-based building automation applications suffer from the issue discovered by Evgeny Ermakov from Kaspersky Lab:
• Liebert SiteScan Web Version 6.5, and prior
• ALC WebCTRL Version 6.5, and prior
• Carrier i-Vu Version 6.5, and prior
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.
CVE-2016-5795 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
The products see use mainly in the commercial facilities sector. They also see action on a global basis.
Kennesaw, Georgia-based ALC released the following patches:
• WebCTRL 6.0, Cumulative Patch #11
• WebCTRL 6.1, Cumulative Patch #4
• WebCTRL 6.5, Cumulative Patch #5
These patch releases may be obtained on the Automated Logic accounts web site or calling Technical Support at 770-429-3002.
• i-Vu 6.0, Cumulative Patch #11
• i-Vu 6.5, Cumulative Patch #5
These patch releases may be obtained by calling Technical Support at 800-277-9852.
ALC applications should always be installed and maintained in accordance with the guidelines.