Ice Qube has a new version out to mitigate an improper authentication and unprotected storage of credentials vulnerabilities in its Thermal Management Center, according to a report with NCCIC.
Successful exploitation of these vulnerabilities, discovered by Maxim Rupp, could allow an attacker to gain unauthorized access to configuration files or obtain sensitive information.
An environmental software management platform, all versions of the Thermal Management Center prior to 4.13 suffer from the remotely exploitable vulnerabilities.
In one vulnerability, the web application does not properly authenticate users, which may allow an attacker to gain access to sensitive information.
CVE-2017-14026 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
In another vulnerability, passwords are stored in plaintext in a file that is accessible without authentication.
CVE-2017-16714 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
The product sees use in the commercial facilities, critical manufacturing, energy, and water sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Ice Qube recommends users of affected versions upgrade to the latest version of Thermal Management Center v4.13 or newer, which can be obtained by emailing Technical Support or by calling Technical Support at 724-837-7600.