PSI GridConnect GmbH (formerly known as PSI Nentec GmbH) recommends users update their devices to mitigate a cross-site scripting vulnerability in its Telecontrol Gateway and Smart Telecontrol Unit family, IEC104 Security Proxy, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability, discovered by M. Can Kurnaz, could allow an attacker to execute dynamic scripts in the context of the application, which could allow cross-site scripting attacks.
The following products suffer from the issue:
• Telecontrol Gateway 3G Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior
• Telecontrol Gateway XS-MU Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior
• Telecontrol Gateway VM Versions 4.2.21, 5.0.27, 5.1.19, 6.0.16 and prior
• Smart Telecontrol Unit TCG Versions 5.0.27, 5.1.19, 6.0.16 and prior
• IEC104 Security Proxy Version 2.2.10 and prior
CVE-2019-6528 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.5.
The products see use mainly in the energy sector. They also see action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Germany-based PSI recommends users of affected devices update their devices to a version where this vulnerability is patched.
To obtain the update, contact PSI GridConnect via email.
A fix for the vulnerability is available in the following software releases:
• IEC104 Security Proxy Version 2.2.11
In addition, the following software releases are no longer supported:
PSI recommends deactivating the webserver via CLI since the web interface is not essential to the configuration of the device.