Orpak, which was acquired by Gilbarco Veeder-Root, has an update available to mitigate multiple vulnerabilities in its SiteOmat, according to a report with NCCIC.
The remotely exploitable vulnerabilities include a use of hard-coded credentials, cross-site scripting, SQL injection, missing encryption of sensitive data, code injection, and a stack-based buffer overflow.
Successful exploitation of these vulnerabilities, discovered by Ido Naor of Kaspersky Lab, could lead to arbitrary remote code execution resulting in possible denial-of-service conditions and unauthorized access to view and edit monitoring, configuration, and payment information. Public exploits are available. In addition, an attacker with low skill level could leverage the issues.
The following versions of SiteOmat, software for fuel station management, are affected:
• SiteOmat versions prior to 6.4.414.122 only are vulnerable to stack-based buffer overflow CVE-2017-14854 and Code Injection CVE-2017-14853
• SiteOmat Versions prior to 6.4.414.084
In one vulnerability, the application utilizes hard coded username and password credentials for application login.
CVE-2017-14728 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, the application web interface does not properly neutralize user-controllable input, which could allow cross-site scripting.
CVE-2017-14850 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.
Also, the application does not properly sanitize external input, which may allow an attacker to access the product by specially crafted input.
CVE-2017-14851 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.4.
In addition, the application transmits information in plain text, including credentials, which could allow an attacker with access to transmitted data to obtain credentials and bypass authentication.
CVE-2017-14852 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
In another issue, the application does not properly restrict syntax from external input, which could allow unauthenticated users to execute specially crafted code on the target system.
CVE-2017-14853 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
Also, the application utilizes a function that accepts user input. This input is not properly validated, which could allow an attacker to execute arbitrary code.
CVE-2017-14854 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.
The product sees use in the commercial facilities, energy, and transportation systems sector. It also sees action on a global basis.
Israel-based Orpak recommends users of affected versions update to the latest release v6.4.414.139 or later. The update can be obtained by contacting customer care with the following options:
Online Ticket (login required)
Tel: +972 3 577 6864