American Auto-Matrix created an update that fixes a local file inclusion and a plain text storage of password vulnerabilities in its Building Automation Front-End Solutions application vulnerabilities in the Aspect-Nexus platform, according to a report with ICS-CERT.
As far as the Aspect-Matrix hardware platform goes, it reached end of life in 2015 and will no longer receive further updates.
These vulnerabilities, discovered by independent researcher Maxim Rupp, are remotely exploitable.
The following Building Automation Front-End Solutions versions are affected:
• Aspect-Nexus Building Automation Front-End Solutions application versions prior to 3.0.0
• Aspect-Matrix Building Automation Front-End Solutions application all versions
User logins and passwords presented in plain text provide an attacker authenticated credentials to all aspects of the system.
American Auto-Matrix is an Export, PA-based company.
The affected product, Building Automation Front-End Solutions application, is a building automation integration device. Building Automation Front‑End Solutions application sees action across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems. American This product sees use primarily in the United States.
As far as the local file inclusion vulnerability goes, without authorization the attacker can read files on the host, including the configuration file.
CVE-2016-2307 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, a file that is accessible without authentication, passwords are in plain text.
CVE-2016-2308 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
American Auto-Matrix recommends the following steps:
Download the zip file located at Dealer Toolbox http://www.aamatrix.com/aspect-new-features under Product Support>Software Updates. Then:
• Unzip the attached file
• Install the .aam file through the WebUI under [System Administration > System Updates]
Users will then need to reboot the unit in order complete the upgrade process.