Tibbo created a new version to mitigate vulnerabilities in its AggreGate SCADA/HMI package, which is part of the AggreGate Platform, according to a report on ICS-CERT.
One of the vulnerabilities, reported by HP Zero Day Initiative’s (ZDI) security researcher Andrea Micalizzi (rgod), is remotely exploitable.
AggreGate Platform Version 5.21.02 and prior versions suffer from the vulnerabilities.
Successful exploitation of the identified vulnerabilities may allow an attacker to execute arbitrary code and commands.
Tibbo is a Taiwan-based company. Tibbo’s partner network includes distributors, manufacturers, and integrators from more than 50 countries.
The affected product, AggreGate Platform, is an Internet of Things integration platform that employs network technologies to control, configure, monitor and service different electronic devices.
The AggreGate Platform sees action across several sectors including commercial facilities, communications, critical manufacturing, energy, healthcare and public health, transportation systems, and water and wastewater systems. Tibbo estimates these products see use on a global basis.
Through a servlet, it is possible to upload arbitrary Java code that allows application properties to end up imported through uploaded files that could allow arbitrary code and command execution.
CVE-2015-7912 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, administrative service can end up contacted by local users to publish arbitrary classes. By writing a Java file inside the application main root, it is possible to run arbitrary code and commands.
CVE-2015-7913 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.4.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Tibbo released a new version of the AggreGate Platform, Version 5.30.06, to mitigate the identified vulnerabilities. Click here to get Tibbo’s new version.