Your one-stop web resource providing safety and security information to manufacturers

Columbia Weather Systems, Inc. has a firmware update to mitigate multiple vulnerabilities in its Weather MicroServer, according to a report with NCCIC.

The vulnerabilities include a cross-site scripting, path traversal, improper authentication, improper input validation, and a code injection.

RELATED STORIES
InduSoft Web Studio, InTouch Edge HMI Hole Fixed
LCDS Updates SCADA Software
Siemens Mitigates SCALANCE Hole
Update to WibuKey Digital Rights Management Holes

Successful exploitation of these remotely exploitable vulnerabilities, discovered by John Elder and Tom Westenberg of Applied Risk, may allow disclosure of data, cause a denial-of-service condition, and allow remote code execution.

A weather monitoring system, Weather MicroServer firmware Version MS_2.6.9900 and prior suffer from the issues.

Cyber Security

In one vulnerability, a cross-site scripting error exists that does not properly validate input, which may allow arbitrary web script to be executed.

CVE-2018-18875 is the case number assigned to this vulnerability, which has a . CVSS v3 base score of 7.3.

In addition, a path traversal vulnerability exists that could allow an attacker read access to files within the directory structure of the target device.

CVE-2018-18876 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

Also, an improper authentication vulnerability exists that could allow a possible authentication bypass, allowing an attacker to manipulate the device and cause a denial-of-service condition.

CVE-2018-18877 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Moreover, an improper input validation vulnerability exists allowing an attacker to craft the input in a form that is not expected by the rest of the application, causing a denial-of-service condition and the device to become unavailable.

CVE-2018-18878 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, a code injection vulnerability exists that could allow remote code execution.
CVE-2018-18879 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Also, a cross-site scripting error exists that does not properly validate input, which may allow arbitrary web script to be executed.

CVE-2018-18880 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

The product sees use mainly in the information technology sector. It also sees action in the United States.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

U.S.-based Columbia Weather Systems released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.

To upgrade Weather MicroServer, contact Columbia Weather Systems: at Phone: 503-629-0887 or by email.

Pin It on Pinterest

Share This