OPW Fuel Management Systems has an upgrade available to fix missing authentication for critical function and SQL injection vulnerabilities in its SiteSentinel Integra and SiteSentinel iSite products, according to a report with ICS-CERT.
Successful exploitation of these remotely exploitable vulnerabilities, discovered by Semen Rozhkov of Kaspersky Lab, could allow an unauthorized user to create an account on the device or access the device’s database.
OPW hired a third party testing firm to validate the firmware upgrade resolved the security issues.
OPW Fuel Management Systems (OPW) reports the vulnerabilities affect SiteSentinel Integra 100, SiteSentinel Integra 500, and SiteSentinel iSite ATG consoles with the following software versions:
• Older than V175
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
In one vulnerability, an attacker may create an application user account to gain administrative privileges.
CVE-2017-12733 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, the application is vulnerable to injection of malicious SQL queries via the input from the client.
CVE-2017-12731 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.2.
The products see use mainly in the energy and transportation systems sectors. They also see action on a global basis.
OPW issued “Service Bulletin 462” and a letter to users to inform them of the availability of free upgrades (firmware Version 17Q2.1) to mitigate these vulnerabilities.
OPW said users should upgrade all affected systems even if they are already protected from exploitation by running off-line or located on a protected network.
OPW released instructions telling users how to update to the newest firmware version. For specific step-by-step instructions on how to save settings, backup database, and install the new firmware, see the upgrade procedure (M00-20-4438).
More information can also be found in the configuration guide.
For additional assistance, users and distributors may call the technical service line at 877-OPW-TECH (877-679-8324). OPW also dedicated an additional phone number specifically for addressing this issue: 312-244-0632. Users may also email the company or contact their commercial district manager.