This week there were two control system vulnerability disclosures on the Full Disclosure web site. The first is for an access control platform and the second is for a laboratory information management system (LIMS) used in medical labs.
Access Control Platform
On Wednesday Andrew Griffiths from the Google Security Team announced multiple vulnerabilities in the Spider access control platform from SICUNET. The vulnerabilities include:
• Outdated software;
• PHP include();
• Unauthenticated remote code execution;
• Hardcoded root credentials; and
• Passwords stored in plaintext
As expected from the Google Security Team, the vendor was notified of the vulnerabilities multiple times, but no reply was received within the standard 90-day disclosure window used by Google.
On Thursday Nicholas von Pechmann from Shorebreak Security announced multiple vulnerabilities in the dnaLIMS application from dnaTools. The vulnerabilities include:
• Improperly protected web shell - CVE-2017-6526;
• Unauthenticated Directory Traversal - CVE-2017-6527;
• Insecure Password Storage - CVE-2017-6528;
• Session Hijacking - CVE-2017-6529;
• Cross-site Scripting (2 instances); and
• Improperly Protected Content
The Shorebreak Security Advisory provides proof of concept code for most of these vulnerabilities and reports that they have developed Metasploit modules for many of them.
Shorebreak notified the vendor in November of the vulnerabilities. While dnaTools replied that the application should be kept behind a firewall, there was no indication given to the researchers that there would be any attempt to fix the vulnerabilities. Multiple university laboratories have on-line login pages for this application that are readily found via Google.