SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-518790984] OPW Fuel Management Systems SiteSentinel Integra and SiteSentinel iSite

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-08-31OtherOPW Fuel Management SystemsSemen Rozhkov of Kaspersky Lab discovered these vulnerabilities. OPW hired a third party testing firm to validate that the firmwN/ACVE-2017-1273 CVE-2017-1273 N/AN/AN/A

Source

						
							
								
#
# OPW Fuel Management Systems SiteSentinel Integra and SiteSentinel iSite
#


### VULNERABLE VENDOR
OPW Fuel Management Systems


### VULNERABLE PRODUCT
SiteSentinel Integra and SiteSentinel iSite



### RESEARCHER
Semen Rozhkov of Kaspersky Lab discovered these vulnerabilities. OPW hired a third party testing firm to validate that the firmware upgrade resolved the security issues.



### AFFECTED PRODUCTS

OPW Fuel Management Systems (OPW) reports that the vulnerabilities affect SiteSentinel Integra 100, SiteSentinel Integra 500, and SiteSentinel iSite ATG consoles with the following software versions:

Older than V175,
V175-V189,
V191-V195, and
V16Q3.1



### IMPACT

Successful exploitation of these vulnerabilities could allow an unauthorized user to create an account on the device or access the device's database.



### VULNERABILITY OVERVIEW

MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
An attacker may create an application user account to gain administrative privileges.
CVE-2017-12733 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89
The application is vulnerable to injection of malicious SQL queries via the input from the client.
CVE-2017-12731 has been assigned to this vulnerability.
A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)





### BACKGROUND

Critical Infrastructure Sectors: Energy, Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United States




### MITIGATION

OPW considers this a critical issue that needs to be addressed immediately. They have issued "Service Bulletin 462" and a letter to users to inform them of the availability of free upgrades (firmware Version 17Q2.1) to mitigate these vulnerabilities.

OPW recommends that users upgrade all affected systems even if they are already protected from exploitation by running off-line or located on a protected network.

OPW has released instructions telling users how to update to the newest firmware version. For specific step-by-step instructions on how to save settings, backup database, and install the new firmware, see the upgrade procedure (M00-20-4438) at the following location:

http://www.opwglobal.com/docs/libraries/manuals/electronic-systems/opw-fms-manuals/m00-20-4438-integra-software-upgrade.pdf?sfvrsn=14


More information can also be found in the configuration guide:

http://www.opwglobal.com/opw-fms/tech-support/manuals-how-to-videos/technical-manuals


For additional assistance, users and distributors may call the technical service line at 877-OPW-TECH (877-679-8324). OPW has also dedicated an additional phone number specifically for addressing this issue: 312-244-0632. Users may also email FMSOrders@DoverFS.com


or contact their commercial district manager.