Your one-stop web resource providing safety and security information to manufacturers

LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME updated its firmware to mitigate a path traversal vulnerability in its LAquis SCADA product, according to a report with ICS-CERT.

LAquis SCADA software, versions prior to version suffer from the remotely exploitable vulnerability discovered by Karn Ganeshen, working with Trend Micro’s Zero Day Initiative (ZDI).

Siemens Updates SIMATIC Fixes
Moxa Updates NPort Fix
Rockwell Fixes FactoryTalk Hole
Rockwell Clears Workbench Vulnerability

Successful exploitation of this vulnerability could allow an unprivileged, malicious attacker to access files remotely.

The path traversal vulnerability exists when an application does not neutralize external input to ensure users are not calling for absolute path sequences outside of their privilege level.

Schneider Bold

CVE-2017-6020 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The LAquis SCADA product sees action in the chemical, commercial facilities, energy, food and agriculture, transportation systems, water and wastewater systems sectors. It mainly sees use in South America.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level would be able to exploit the vulnerability.

Joinville-SC, Brazil-based LCDS recommends users update to the latest firmware, version

Pin It on Pinterest

Share This