SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-822645589] Miele Professional PG 85 Series

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-05-18OtherMiele ProfessionalJens Regel of Schneider & Wulf publicly disclosed this vulnerability without ICS-CERT coordination. N/ACVE-2017-7240 N/AN/AN/A

Source

						
							
								
#
# Miele Professional PG 85 Series
#


### VULNERABLE VENDOR
Miele Professional


### VULNERABLE PRODUCT
PG 85 Series



### RESEARCHER
Jens Regel of Schneider & Wulf publicly disclosed this vulnerability without ICS-CERT coordination.



### AFFECTED PRODUCTS

Miele Professional reports that the following versions of the PG 85 product series, a large capacity cleaner and disinfector, and their embedded webservers are affected:

PG8527, version 2.02, 2.51, 2.52, and 2.54
PG8528, version 2.02, 2.51, 2.52, and 2.54
PG8535, version 1.00 and 1.04
PG8536, version 1.10 and 1.14



### IMPACT

Successful exploitation of this vulnerability could allow a remote attacker to read or modify sensitive data or files, execute unauthorized code or commands, and possibly cause a system crash.



### VULNERABILITY OVERVIEW

PATH TRAVERSAL CWE-22
The path traversal vulnerability has been identified, which may allow a remote attacker to access sensitive information by using special elements in the pathname to resolve to a location outside of a restricted directory.
CVE-2017-7240 has been assigned to this vulnerability.
A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)





### BACKGROUND

Critical Infrastructure Sector: Healthcare and Public Health
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Germany




### MITIGATION

Miele Professional issued patches for this vulnerability on May 4, 2017. Miele Professional is in the process of contacting all affected users via registered mail.

Users of affected machines can contact Miele Professional at 1-800-991-9380 to schedule service for a software update, which must be performed by a Miele Professional technician.

The following updates are available for affected Miele Professional PG 85 series products:

PG8527, version 2.02
Update to version 2.12
PG8527, version 2.51
Update to version 2.61
PG8527, version 2.52
Update to version 2.62
PG8527, version 2.54
Update to version 2.64
PG8528, version 2.02
Update to version 2.12
PG8528, version 2.51
Update to version 2.61
PG8528, version 2.52
Update to version 2.62
PG8528, version 2.54
Update to version 2.64
PG8535, version 1.00
Update to version 1.10
PG8535, version 1.04
Update to version 1.14
PG8536, version 1.10
Update to version 1.20
PG8536, version 1.14
Update to version 1.24
Miele Professional issued a press release addressing this vulnerability on March 29, 2017, which can be found here:

https://www.miele.de/en/m/miele-admits-communication-glitch-4072.htm