10 June 2019
Multiple vulnerabilities in Optergy Proton/Enterprise building management system
Multiple vulnerabilities have been identified in the Optergy Proton/Enterprise building management system, some of them critical. Successful exploitation of the vulnerabilities identified could allow an attacker to achieve remote code execution and gain full system access.
A total of seven security flaws were identified. The most severe of these are:
- Unrestricted Upload of File with Dangerous Type (CVE-2019-7274). A remote and unauthenticated attacker can upload files with arbitrary extensions into a directory within application’s web root and execute them with privileges of the web server. The vulnerability, which was assigned a CVSS v.3 base score of 9.9, exists due to the absence of file extension validation when uploading files.
- Hidden functionality (CVE-2019-7276), allowing unauthenticated code execution with the highest privileges. An attacker could exploit this vulnerability to navigate directly to an undocumented backdoor script and gain full system access. A CVSS v.3 base score of 10, the highest possible severity score, was calculated for this vulnerability.
- Use of dangerous undeclared class functions (CVE-2019-7278), which could be used by unauthenticated users for direct access to certain resources. This vulnerability was assigned a CVSS v.3 base score of 7.3.
- A hard-coded credentials vulnerability (CVE-2019-7279), which could be used by attackers to send unauthorized SMS messages to any phone number depending on the stored credits to the hard-coded credentials in the function. A CVSS v.3 base score of 3 has been calculated for this flaw.
The above vulnerabilities affect Proton/Enterprise versions 2.3.0a and prior.
To address these issues, the vendor recommends updating Optergy server to version 2.4.5 or later.
Threats to ICS and industrial enterprises in 2022 as they are foreseen from November 2021
23 November 2021
Good old buffer overflow
31 March 2021
Network Asset Traversal or NATural disaster: NAT Slipstreaming 2.0
30 March 2021