#VU7098 Information disclosure in VTScada - CVE-2017-6045

Cybersecurity Help s.r.o.

Published: 2017-06-15

Vulnerability identifier: #VU7098

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-6045

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
VTScada
Server applications / SCADA systems

Vendor: Trihedral Engineering Ltd

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to exposure of some files within the web server application to unauthenticated users. A remote attacker can read arbitrary files.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation
Update to version 11.2.26.

Vulnerable software versions

VTScada: 9 - 11.2

External links
https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Trihedral VTScada