Your one-stop web resource providing safety and security information to manufacturers

Computrols has upgrades available to handle multiple vulnerabilities in its CBAS Web, according to a report with NCCIC.

The vulnerabilities include a cross-site request forgery, information exposure through discrepancy, cross-site scripting, command injection, information exposure through source code, use of hard-coded cryptographic key, SQL injection, authentication bypass using an alternate path or channel, and inadequate encryption strength.

RELATED STORIES
Mitsubishi Ethernet Module Firmware Fixed
Fuji Electric Fixes Alpha7 PC Loader
Schneider Mitigations for Modicon Controllers
Cyber Security

In one vulnerability, users can perform certain actions via HTTP requests without performing any validity checks, which may allow unauthorized actions with administrative privileges if a logged-in user visits a malicious website.

CVE-2019-10847 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.0.

In addition, the application suffers from a username enumeration weakness. The device behaves differently or sends different responses in a way that may expose security-relevant information about the state of the product.

CVE-2019-10848 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

Also, specific parameters passed to scripts is not sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site.

CVE-2019-10846 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.4.

In another issue, the application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers to execute commands directly on the operating system.

CVE-2019-10854 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

In addition, the application has an unprotected subversion directory, which may allow an attacker to download the entire firmware codebase and discover sensitive information about the inner workings of the underlying OS.

CVE-2019-10849 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

Also, several scripts contain a hard-coded encryption key for database backup file decryption, which may allow an authenticated attacker to gain access to the full database of the device and discover sensitive information.

CVE-2019-10851 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

In another issue, there are improper validation of parameters passed to different scripts which may allow a remote authenticated attacker to execute arbitrary SQL commands in the application’s database.

CVE-2019-10852 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

Also, sending specific parameters to a function will enable the auth flag, which may allow an unauthenticated attacker to bypass authentication and gain full control of the device.

CVE-2019-10853 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

In addition, the application stores the passwords in the database using the MD5 hash. The MD5 algorithm is vulnerable to known cryptographic attacks, which may allow discovery of passwords.

CVE-2019-10855 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The product sees use in the commercial facilities, government facilities, and healthcare and public health sectors. It sees action mainly in North America.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Computrols recommends users upgrade to the following versions or later for each respective major versions of CBAS Web:
• 19.0.1
• 18.0.1
• 15.0.1
• 14.0.1
• 8.0.7
• 7.2.1-Beta
• 6.9.2
• 4.8.2
• 3.15.1

Updated software can be obtained by contacting Computrols Technical Support.

For more information, see the Computrols security advisory.

Pin It on Pinterest

Share This