Attacks and Vulnerabilities
Building Management Systems
CISA
Critical infrastructure
Industries
Management & Strategy
Manufacturing
Medical
Mining, Oil & Gas
News
Technology & Solutions
Transportation
Utilities: Energy & Power, Water, Waste

Claroty, AUVESY identify security vulnerabilities in Versiondog hardware

October 20, 2021
Versiondog

Claroty Team82’s research team has worked with AUVESY since last year after critical vulnerabilities were identified in AUVESY’s data management software for automated production, Versiondog. The security flaws could have enabled an advanced attacker to remotely exploit these vulnerabilities to run code of their choice in order to establish a fully working remote shell that would allow for reading or writing files, executing database queries, and much more.

AUVESY has now patched all of the vulnerabilities as part of versiondog 8.1 and all later versions, and the Cybersecurity and Infrastructure Security Agency (CISA) also released an ICS-CERT advisory with vulnerability and mitigation information, Team82 said in a post on Monday. Versiondog runs across equipment found in multiple critical infrastructure sectors to automatically store software versions, document them, and securely back up data that can be compared to current error-free versions, in order to ensure plants run efficiently.

Claroty’s Amir Preminger reported these vulnerabilities to CISA, the agency said on Tuesday.

Any disruption or manipulation of the information handled by the product could have devastating consequences to the safety and integrity of an industrial process, according to Team82. A timely, coordinated response from an affected vendor indicates a level of responsibility to customers and the ICS (Industrial control system) domain to ensure that products are safe and reliable to use. Versiondog’s level of diligence in its engagement with Claroty went beyond a one-time patching of a handful of vulnerabilities.

All versions prior to v8.0 of Versiondog are said to contain several security vulnerabilities, including improper access control, incorrect permission assignment for critical resource, use of hard-coded cryptographic key, out-of-bounds read, use after free, out-of-bounds write, write-what-where condition, use of potentially dangerous function, unrestricted upload of file with dangerous type, external control of filename or path, external control of system or configuration setting, improper input validation, uncontrolled resource consumption, uncontrolled search path element, authentication bypass by capture-replay, SQL injection, and uncontrolled resource consumption. The exploitation of these vulnerabilities could allow an attacker to achieve remote code execution, and acquire complete remote control over the machine.

AUVESY management and engineers solved the problem by addressing the root cause of the issue by scanning its entire codebase and properly understanding the building blocks of its product to wipe out a class of vulnerabilities, rather than a one-off patching and mitigation exercise.

AUVESY was also prompted by this disclosure to examine and improve its product and development lifecycles in order to keep future vulnerabilities to a minimum and ultimately improve its overall security posture. The German company has a team of internal security experts working on testing and improving its products. In addition to safeguarding customers’ data, customers benefit from high plant availability and keep downtime to an absolute minimum.

AUVESY also relies on the input and feedback of external researchers in order to ensure product security is maintained at the highest level.

AUVESY has patched or provided mitigations for all of the vulnerabilities privately disclosed by Team82. The vulnerabilities were found in the versiondog OS Server API, Scheduler, and WebInstaller in versiondog version 8.0. All vulnerabilities were fixed as part of versiondog 8.1 released last October and all later versions.

Some of the versiondog components affected by the vulnerabilities discovered by Team82 include versiondog OS Server API, a Windows service that processes versiondog API requests via a proprietary protocol. Team82 researchers discovered critical vulnerabilities in almost all mechanisms related to its message processing, including a lack of security checks, improper parameter sanitation, and unauthenticated remote interactions with a low-level Windows API.

In the versiondog Scheduler service that enables the user to start and stop jobs, Team82 found a number of issues, including SQL injection vulnerabilities that allow an attacker to inject a query that contains a malicious payload. In the case of its versiondog WebInstaller, a Golang web server executable that enables generation of an AUVESY image agent, Team82 found a resource consumption vulnerability that can be triggered by generating large numbers of installations that are saved in a temp folder and can consume all free space on the disk, preventing check in/out operations.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations