CISA, in collaboration with an anonymous researcher, released an Industrial Control Systems (ICS) advisory highlighting vulnerabilities in the Dorsett Controls InfoScan system. The advisory warns that these security issues, affecting InfoScan versions 1.32, 1.33, and 1.35, could lead to unauthorized access to sensitive information. The vulnerabilities are linked to exposure of sensitive information and improper limitation of pathnames, allowing potential attackers to access sensitive files or retrieve information about system files without authorization.
The advisory identifies three specific Common Vulnerabilities and Exposures (CVEs): CVE-2024-42493, CVE-2024-42408, and CVE-2024-39287. The first CVE involves a flaw that allows sensitive data exposure before user login, primarily via response headers and JavaScript. The second vulnerability is a path traversal issue, where attackers can intercept client download requests to reveal filenames on the system. The third CVE warns of an unprotected server file containing passwords and API keys, which could lead to credential misuse.
These vulnerabilities represent significant risks to the Water and Wastewater Systems sector in the United States. An exploit could lead to data theft, unauthorized access, and potential further attacks on critical infrastructure. Given the low complexity and remote exploitability of these issues, CISA has assigned a CVSS v4 score of 6.9 for each vulnerability, indicating a high-risk potential that needs immediate attention.
To mitigate these risks, Dorsett Controls recommends users update to InfoScan version 1.38 or later. This update is available via the Dorsett Controls Customer Portal, which provides detailed installation instructions. CISA also urges administrators to isolate control system networks, employ secure access methods like VPNs, and conduct thorough risk assessments before deploying any defensive measures. These steps are critical for minimizing potential exposure and securing ICS environments from exploitation.
Reference: