SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-560915408] Fidelix FX-20 Series Controllers Path Traversal Vulnerability

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2016-12-22OtherFidelixSemen RozhkovN/ACVE-2016-9364 N/AN/AN/A

Source

						
							
								
#
# Fidelix FX-20 Series Controllers Path Traversal Vulnerability
#


### OVERVIEW

Researcher Semen Rozhkov of Kaspersky Lab has identified a path traversal vulnerability in Fidelix's FX-20 series controllers. Fidelix has produced a new software version to mitigate this vulnerability.
This vulnerability could be exploited remotely.



### AFFECTED PRODUCTS

Fidelix reports that the vulnerability affects the following versions of FX-20 series controllers:
FX-20 series controllers, versions prior to 11.50.19



### IMPACT

Successful exploitation of this vulnerability may give an attacker the ability to read data from the device. The attacker cannot write data.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.



### BACKGROUND

Fidelix is a Finland-based company.
The affected products, FX-20 series controllers, are building controllers. According to Fidelix, FX-20 series controllers are deployed across several sectors including Commercial Facilities. Fidelix estimates that these products are used primarily in Europe.



### VULNERABILITY CHARACTERIZATION

# VULNERABILITY OVERVIEW

PATH TRAVERSALa
Arbitrary file reading via path traversal allows an attacker to access arbitrary files and directories on the server.
CVE-2016-9364b has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)




### VULNERABILITY DETAILS

# EXPLOITABILITY

This vulnerability could be exploited remotely.



# EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.



# DIFFICULTY

An attacker with a low skill would be able to exploit this vulnerability.



### MITIGATION

Fidelix has released a new software version, 11.50.19, to address this vulnerability
Users can obtain the new version by contacting a local distributor or Fidelix support at:
support@fidelix.fi