Visonic updated a version of its firmware to mitigate cross-site scripting and source code disclosure vulnerabilities in its PowerLink2 module, according to a report with ICS-CERT.
These vulnerabilities, discovered by independent researcher Aditya K. Sood, are remotely exploitable.
PowerLink2, all versions prior to October 2016 firmware release, suffer from the issues.
Successful exploitation of these vulnerabilities allows the attacker to gather information on how server side images end up generated. Careful analysis combined with some additional information (from testing the product), allows an attacker to download images from the server.
Visonic is an Israel-based company and subsidiary of Tyco. It maintains offices in several countries around the world, including the U.S., UK, Denmark, Poland, Spain, Germany, Singapore, China, and Australia.
The affected product, PowerLink2, provides a web interface to view and control an intrusion security system. PowerLink2 modules see action in the commercial facilities sector. Visonic estimates this product sees use primarily in the United States and Europe with a small percentage in Asia.
In one vulnerability, user controlled input does not end up neutralized prior to going into web page output.
CVE-2016-5811 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.
In addition, when a specific URL to an image ends up accessed, the downloaded image carries with it source code used in the web server.
CVE-2016-5813 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill would be able to exploit these vulnerabilities.
Visonic recommends affected users employ the following mitigations: For products that are EOL (end of life), contact the alarm service provider to replace/upgrade the unit to PowerLink3.
For products still under production, request the alarm service provider remotely update the unit with the new firmware version released October 2016.