CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
48.9%
**ATTENTION:**Remotely exploitable/low skill level to exploit.
Vendor: Automated Logic Corporation (ALC)
Equipment: WebCTRL, i-VU, SiteScan
Vulnerabilities: Unquoted Search Path or Element; Improper Limitation of a Pathname to a Restricted Directory (βPath Traversalβ); Unrestricted Upload of File with Dangerous Type
The following versions of WebCTRL, i-Vu, SiteScan Web, building automation platforms, are affected:
Successful exploitation of these vulnerabilities could allow an authenticated user to elevate his or her privileges to execute arbitrary code on the system.
ALC provides support for WebCTRL, i-Vu, SiteScan Web versions 6.0 and greater. Those users using prior versions, including 5.5 and 5.2, must upgrade to supported versions in order to install these mitigation patches.
ALC applications should always be installed and maintained in accordance with the guidelines found here:
<http://www.automatedlogic.com/Pages/Security.aspx>.
In addition ALC has released the following patches, which address these vulnerabilities:
These patch releases may be obtained on the ALC accounts web site or calling Technical Support at 770-429-3002
The patch release may be obtained by calling Technical Support at 800-277-9852
These patches may be obtained by contacting Liebert Services at 1-800-543-2378.
NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
An unquoted search path vulnerability may allow a non-privileged local attacker to change files in the installation directory and execute arbitrary code with elevated privileges.
CVE-2017-9644 has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L).
An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software.
CVE-2017-9640 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An authenticated attacker may be able to upload a malicious file allowing the execution of arbitrary code.
CVE-2017-9650 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
Gjoko Krstic from Zero Science Lab identified the vulnerabilities.
Critical Infrastructure Sector: Commercial Facilities
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Kennesaw, Georgia
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9640
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9644
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9650
www.automatedlogic.com/Pages/Security.aspx
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-17-234-01
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/428.html
cwe.mitre.org/data/definitions/434.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Automated%20Logic%20Corporation%20WebCTRL%2C%20i-VU%2C%20SiteScan+https://www.cisa.gov/news-events/ics-advisories/icsa-17-234-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-17-234-01&title=Automated%20Logic%20Corporation%20WebCTRL%2C%20i-VU%2C%20SiteScan
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-17-234-01
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Automated%20Logic%20Corporation%20WebCTRL%2C%20i-VU%2C%20SiteScan&body=www.cisa.gov/news-events/ics-advisories/icsa-17-234-01
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
48.9%