Siemens created an update to mitigate an incorrect file permissions vulnerability in APOGEE Insight, according to a report on ICS-CERT.
Network & Information Security Ltd. Company and HuNan Quality Inspection Institute reported this issue directly to Siemens.
All versions of APOGEE Insight prior to 3.15 suffer from the issue.
This vulnerability could allow authenticated users of the operating system to modify application data for the affected product.
Siemens is a multinational company headquartered in Munich, Germany.
The affected product, APOGEE Insight software, provides a graphical interface to manage and control buildings. APOGEE Insight software sees action across several sectors including commercial facilities. Siemens officials said this product sees use on a global basis.
The file permissions set for the APOGEE Insight application folder could allow authenticated operating system users to modify the APOGEE Insight application data if local access ended up obtained.
CVE-2016-3155 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.4.
This vulnerability is not exploitable remotely, and an attacker would need to be an authenticated user of the operating system.
No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.
Siemens released a new APOGEE Insight version to resolve the vulnerability. Version 3.15 can be obtained by calling the local service organization. If users need assistance in identifying the local service organization, click here to find a local Siemens hotline center to call.
Until the new version can be applied, Siemens has detailed instructions on how to mitigate the vulnerability by correcting file permissions. To receive these instructions, users should contact their local service organization or a local Siemens hotline center.
For more information on this vulnerability and more detailed mitigation instructions, click on Siemens Security Advisory SSA-151221.