SB2021080605 - Multiple vulnerabilities in mySCADA myPRO

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2021-33013)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected product does not restrict unauthorized read access to sensitive system information. A remote attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the system.

2) Arbitrary file upload (CVE-ID: CVE-2021-33009)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload. A remote attacker can upload a malicious file and execute it on the server.

3) Path traversal (CVE-ID: CVE-2021-33005)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and upload arbitrary files to arbitrary directories.

4) Information disclosure (CVE-ID: CVE-2021-27505)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to affected software does not restrict unauthorized read access to sensitive directory listing information. A remote attacker can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://ics-cert.us-cert.gov/advisories/icsa-21-217-03