Ecava created a new release that mitigates an information disclosure vulnerability in its IntegraXor application.
Independent researcher Andrea Micalizzi, aka rgod, discovered the remotely exploitable vulnerability and submitted it to the Zero Day Initiative (ZDI) who in turn, coordinated the information with ICS-CERT.
IntegraXor versions prior to 4.1.4410 suffer from the issue.
An attacker with guest privileges may be able to read administrative credentials.
Ecava Sdn Bhd (Ecava) is a Malaysia-based software development company that provides the IntegraXor SCADA product. Ecava specializes in factory and process automation solutions.
IntegraXor is a suite of tools used to create and run a web-based human-machine interface for a SCADA system. IntegraXor sees action in several areas of process control in 38 countries with the largest installation based in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.
The application web server fails to adequately isolate the “guest” user. By default, an anonymous attacker can run SELECT queries and can read the clear text administrative credentials.
CVE-2014-0786 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
A customer notification from Ecava is available that details this vulnerability and provides mitigation guidance. Ecava recommends users download and install the update, IntegraXor SCADA Server 4.1.4410, from their support web site.
For additional information, click on Ecava’s vulnerability note.