Yesterday the DHS ICS-CERT published a control system security advisory for twin vulnerabilities in the American Auto-Matrix Building Automation Front-End Solutions application. The vulnerabilities were reported by Maxim Rupp. American Auto-Matrix has produced an update to mitigate the vulnerabilities. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.
The vulnerabilities include:
• Local file inclusion - CVE-2016-2307; and
• Plain text storage of a password - CVE-2016-2308
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to provide an attacker authenticated credentials to all aspects of the system.