A serious vulnerability that allows an attacker to steal files from an affected system has been found by a researcher in a building automation product from Swiss-based Fr. Sauter AG. It took the vendor only 10 days to release a patch.
The impacted product, CASE Suite, is designed for handling building automation projects. ICS-CERT says the software is used worldwide, particularly in the critical manufacturing sector.
Gjoko Krstic, a researcher with industrial cybersecurity firm Applied Risk, found that CASE Suite versions 3.10 and prior are affected by a high severity XML external entity (XXE) vulnerability. According to an advisory published by Applied Risk on Friday, the flaw impacts the CASE Components, CASE Sensors and CASE VAV applications.
The security hole is tracked as CVE-2018-17912 and it has been assigned CVSS scores of 7.5 (ICS-CERT) and 8.6 (Applied Risk).
“The application suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack,” Applied Risk said in its advisory. “The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML data file.”
Krstic told SecurityWeek that an attacker can exploit the vulnerability by getting the targeted user to open a specially crafted XML file using a vulnerable version of the CASE Suite software. For instance, the file can be sent via email, and it may not raise too much suspicion as the software includes functionality for saving and opening project or data files with this format.
In another attack scenario, if the attacker already has access to the system, they can place the malicious file anywhere (e.g., the Desktop folder) and it will be automatically loaded when the user browses to that location via the Sauter software. The researcher noted that the application automatically loads XML files found in folders browsed by the user – he described this as dangerous functionality.
Once the malicious XML file is loaded, it allows the attacker to steal any file from the compromised system, including configuration data, personal information, account credentials, and details about the system and the network housing it, Krstic said via email.
The vulnerability can also be exploited to cause the impacted software to enter a denial-of-service (DoS) condition.
It’s not uncommon for researchers to find vulnerabilities in building automation software. However, in this case it took Sauter only 10 days to release a patch after it was informed of the flaw by ICS-CERT on October 15. It often takes vendors hundreds of days to patch security holes in automation products.