Emerson produced patches to mitigate an XML External Entity (XXE) vulnerability affecting its Liebert SiteScan application, according to a report with ICS-CERT.
SiteScan Web Version 6.5, and prior suffer from the remotely exploitable vulnerability, discovered by researcher Evgeny Ermakov from Positive Technologies.
Exploitation of this vulnerability may lead to the disclosure of confidential data, denial of service (DoS), server side request forgery, port scanning from the perspective of the machine where the parser is, and other system impacts.
Emerson is a U.S.-based company that maintains offices in several countries around the world, including the U.S., UK, Netherlands, Italy, India, Germany, France, Czech Republic, China, and Australia.
The affected product, Liebert SiteScan, is a web-based data center monitoring application providing centralized oversight of Liebert precision air, power and UPS units, as well as many other analog or digital devices. According to Emerson, Liebert SiteScan sees action across several sectors including commercial facilities, critical manufacturing, energy, water and wastewater systems. Emerson reports this product sees use on a global basis.
An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.
CVE-2016-8348 is the case number assigned to this vulnerability, which has a CVSSv3 base score: 7.5.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Emerson recommends affected users update Liebert SiteScan with the following patches:
• SiteScan Web Version 6.1, the patch file is: WS61_Security_Update.update
• SiteScan Web Version 6.5, the patch file is: WS65_Security_Update.update
These patches may end up obtained by contacting Liebert Services at 800-543-2378.