OTPulse
FeedAboutContact

Certec atvise webMI2ADS Vulnerabilities

Act NowICS-CERT ICSA-12-102-01Jan 13, 2012
Summary

Certec webMI2ADS versions prior to 2.0.2 contain a denial-of-service vulnerability (CWE-400) that could allow an attacker to cause the application to become unresponsive or crash through resource exhaustion. The vulnerability requires only network access to the web interface without authentication.

What this means
What could happen
A denial-of-service vulnerability in Certec webMI2ADS could allow an attacker to crash the application or make it unresponsive, disrupting access to your HMI/SCADA monitoring interface and potentially delaying operator response to alarms or process changes.
Who's at risk
Water utilities and electric utilities using Certec webMI2ADS as their HMI (Human-Machine Interface) or SCADA monitoring platform should be concerned. This affects any facility relying on webMI2ADS for real-time process visibility and operator control.
How it could be exploited
An attacker with network access to the webMI2ADS application could send specially crafted requests that consume excessive resources, causing the application to become unresponsive or crash. This requires network reachability to the web interface but no authentication.
Prerequisites
  • Network access to the webMI2ADS web interface port
  • No authentication required
remotely exploitableno authentication requiredno patch availablehigh EPSS score (20.8%)
Exploitability
High exploit probability (EPSS 20.8%)
Affected products (1)
ProductAffected VersionsFix Status
Certec webMI2ADS: <2.0.2<2.0.2No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGImplement network firewall rules to restrict access to the webMI2ADS web interface to only trusted engineering workstations and control systems
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for unusual traffic patterns or repeated connection attempts to webMI2ADS
Mitigations - no patch available
0/1
Certec webMI2ADS: <2.0.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate webMI2ADS on a separate control network segment with access controls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/4922cae2-8e88-4337-95c5-b0800f43a8c6