Clorius Controls A/S ISC SCADA Insecure Java Client Web Authentication
Low RiskICS-CERT ICSA-15-013-02Oct 16, 2015
Summary
Clorius Controls A/S Java web client versions prior to 01.00.0009b contain insecure authentication mechanisms due to weak cryptographic implementation (CWE-326). An attacker with network access can intercept authentication traffic and compromise credentials or session tokens to gain unauthorized access to the SCADA system. The vendor has not released a fix for this product, which is end-of-life.
What this means
What could happen
An attacker with network access to the Java web client could intercept or manipulate authentication credentials and gain unauthorized access to the SCADA system, potentially allowing unauthorized control or observation of energy infrastructure operations.
Who's at risk
Energy sector operators using Clorius Controls A/S SCADA systems with the Java web client for remote access or monitoring. This affects utilities managing generation, transmission, or distribution assets that rely on this client for operational visibility or control.
How it could be exploited
An attacker on the network between a user and the Clorius web client could intercept the authentication communication due to weak or insecure cryptographic implementation (CWE-326). This allows credential capture or session hijacking without valid credentials by exploiting the insecure authentication mechanism.
Prerequisites
- Network access to the Clorius Java web client interface
- User login attempt to the web client (passive interception possible)
remotely exploitableinsecure cryptographic implementation (CWE-326)no patch available (end-of-life product)affects SCADA control system
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (1)
ProductAffected VersionsFix Status
Clorius Controls A/S Java web client: <01.00.0009b<01.00.0009bNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDUse network-level encryption (TLS/VPN) between users and the web client to mitigate authentication interception
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
WORKAROUNDDisable the Java web client if not actively required for operations; use an alternative control interface if available
Mitigations - no patch available
0/2Clorius Controls A/S Java web client: <01.00.0009b has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate the Clorius web client behind a firewall or VPN; restrict access to authorized engineering workstations only
HARDENINGMonitor for suspicious authentication attempts and session activity on the SCADA system
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/53c9e6a0-8648-4f22-a81e-64b98403ee16