Your one-stop web resource providing safety and security information to manufacturers

PSI GridConnect GmbH (formerly known as PSI Nentec GmbH) recommends users update their devices to mitigate a cross-site scripting vulnerability in its Telecontrol Gateway and Smart Telecontrol Unit family, IEC104 Security Proxy, according to a report with NCCIC.

Successful exploitation of this remotely exploitable vulnerability, discovered by M. Can Kurnaz, could allow an attacker to execute dynamic scripts in the context of the application, which could allow cross-site scripting attacks.

Moxa Clears IKS, EDS Holes
WinCC OA Licensing Software Holes Filled
Wind River, GE Update 6-year-old Holes
Rockwell Working on PowerMonitor 1000 Fix

The following products suffer from the issue:
• Telecontrol Gateway 3G Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior
• Telecontrol Gateway XS-MU Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior
• Telecontrol Gateway VM Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior
• Smart Telecontrol Unit TCG Versions 5.0.27, 5.1.19, 6.0.16 and prior
• IEC104 Security Proxy Version 2.2.10 and prior

In the vulnerability, the web application browser interprets input as active HTML, JavaScript, or VBScript, which could allow an attacker to execute arbitrary code.

Schneider Bold

CVE-2019-6528 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.5.

The products see use mainly in the energy sector. They also see action on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

Germany-based PSI recommends users of affected devices update their devices to a version where this vulnerability is patched.

To obtain the update, contact PSI GridConnect via email.

A fix for the vulnerability is available in the following software releases:
• 5.1.20
• 6.0.17
• IEC104 Security Proxy Version 2.2.11

In addition, the following software releases are no longer supported:
• 4.2.x
• 5.0.x

PSI recommends deactivating the webserver via CLI since the web interface is not essential to the configuration of the device.

Pin It on Pinterest

Share This