Since Lynxspring discontinued the JENEsys BAS Bridge application, the company is recommending users upgrade to the Onyxx Bridge product so it can offset the vulnerabilities in the older application, according to a report with ICS-CERT.
These vulnerabilities, discovered by independent researcher Maxim Rupp, are remotely exploitable.
BAS Bridge versions 1.1.8 and older suffer from the issues.
Attackers are able to change permissions and access controls and also gain access to the system. They are also able to retrieve credentials. The application transmits or stores authentication credentials and uses an insecure method that is susceptible to unauthorized interception and/or retrieval. The application also does not properly verify requests allowing attackers to use a cross‑site request forgery.
Lynxspring is a U.S.-based company that maintains offices in Lee’s Summit, Missouri.
The affected product, BAS Bridge, is a web-based SCADA system. BAS Server sees action across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems. Lynxspring estimates this product sees use primarily in the United States.
A user with read-only access can send commands to the software and the application will accept those commands. This would allow an attacker with read-only access to make changes within the application.
CVE-2016-8357 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.1.
In addition, the application uses a hard-coded username with no password allowing an attacker into the system without authentication.
CVE-2016-8361 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
Also, the application’s database lacks sufficient safeguards for protecting credentials.
CVE-2016-8378 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
Additionally, the application does not sufficiently verify if a request ended up intentionally provided by the user who submitted the request.
CVE-2016-8369 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Lynxspring recommends replacing existing BAS Bridge installations with the Onyxx Bridge product. The Onyxx Bridge product has been tested by Lynxspring to be free of the existing vulnerabilities in the old product. BAS Bridge has been end of life since 2014 and no further updates will end up issued.