LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME updated its software to mitigate an improper access control vulnerability in its LAquis SCADA product, according to a report with ICS-CERT.
LAquis SCADA software, Versions 4.1 and prior versions released before January 20 suffers from the issue, reported by researcher Karn Ganeshen. He also tested the update.
Successful exploitation of this vulnerability could allow authenticated system users to escalate their privileges and modify or replace application files.
No known public exploits specifically target this vulnerability. This vulnerability is not remotely exploitable. An attacker with low skill level would be able to leverage this vulnerability.
The product sees use mainly in the chemical, commercial facilities, energy, food and agriculture, transportation systems and water and wastewater systems industries. It sees action mostly in South America.
The improper access control vulnerability could allow an authenticated user to modify application files to escalate privileges.
CVE-2017-6016 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
Joinville–SC, Brazil-based LCDS recommends users install the update.