LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME updated its firmware to mitigate a path traversal vulnerability in its LAquis SCADA product, according to a report with ICS-CERT.
LAquis SCADA software, versions prior to version 126.96.36.19937 suffer from the remotely exploitable vulnerability discovered by Karn Ganeshen, working with Trend Micro’s Zero Day Initiative (ZDI).
Successful exploitation of this vulnerability could allow an unprivileged, malicious attacker to access files remotely.
The path traversal vulnerability exists when an application does not neutralize external input to ensure users are not calling for absolute path sequences outside of their privilege level.
CVE-2017-6020 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The LAquis SCADA product sees action in the chemical, commercial facilities, energy, food and agriculture, transportation systems, water and wastewater systems sectors. It mainly sees use in South America.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level would be able to exploit the vulnerability.
Joinville-SC, Brazil-based LCDS recommends users update to the latest firmware, version 188.8.131.5237.