Trihedral released updated software to mitigate resource consumption, cross-site scripting and information exposure vulnerabilities in its VTScada product, according to a report with ICS-CERT.
VTScada Versions prior to 11.2.26 suffer from the remotely exploitable vulnerability discovered by Karn Ganeshen who has also tested the patch.
Successful exploitation of these vulnerabilities could result in uncontrolled resource consumption, arbitrary code execution, or information exposure.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill level could leverage the vulnerabilities.
In one vulnerability, the client does not properly validate the input or limit the amount of resources that are utilized by an attacker, which can be used to consume more resources than are available.
CVE-2017-6043 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
CVE-2017-6053 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
Some files are exposed within the web server application to unauthenticated users. These files may contain sensitive configuration information.
CVE-2017-6045 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees action in the chemical, critical manufacturing, communications, energy, food and agriculture, transportation systems and water and wastewater systems sectors. It also sees use mainly in North America and Europe,
Bedford, Nova Scotia, Canada-based Trihedral recommends users of an affected version update to the latest version, v11.2.26.
Click here for help file notes for upgrading VTScada/VTS.