LCDS - Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA

Plan PatchCVSS 7.8ICS-CERT ICSA-18-289-01Oct 16, 2018

LCDSEnergy

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

LAquis SCADA Smart Security Manager versions 4.1.0.3870 and earlier contain multiple memory corruption vulnerabilities (CWE-125, CWE-787, CWE-121), a path traversal vulnerability (CWE-22), and an integer overflow (CWE-680). These flaws could allow a local attacker to execute arbitrary code, crash the system, or write controlled content to the target system. The affected product is used in energy sector SCADA environments for system monitoring and management. Successful exploitation could alter process data, stop operations, or compromise system integrity. A fixed version (4.1.0.4114) has been released by the vendor. No known public exploits exist at this time.

What this means

What could happen

An attacker with local access to a system running LAquis SCADA could execute arbitrary code, crash the system, or modify data, potentially disrupting energy generation or distribution operations.

Who's at risk

Energy utilities and generation facilities using LAquis SCADA Smart Security Manager for monitoring and control. The vulnerability requires local access, so systems on isolated engineering networks are primarily at risk, but the impact—if exploited—could disrupt power operations or data integrity.

How it could be exploited

An attacker must have local access to a machine running LAquis SCADA Smart Security Manager (version 4.1.0.3870 or earlier). They would trigger one of the memory corruption or path traversal vulnerabilities (CWE-125, CWE-787, CWE-121, CWE-22) through user interaction or a crafted input to execute arbitrary code or write files to the system.

Prerequisites

Local access to a system running LAquis SCADA Smart Security Manager version 4.1.0.3870 or earlier
User interaction may be required to trigger the vulnerability (CWE-680 indicates UI component involved)

Local access required (limits risk)Memory corruption vulnerabilities presentPath traversal vulnerability presentNo patch available yet (users remain vulnerable until update)SCADA system impact

Exploitability

Some exploitation risk — EPSS score 7.1%

Affected products (1)

ProductAffected VersionsFix Status

Smart Security Manager:≤ 4.1.0.3870Version 4.1.0.4114+

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate LAquis SCADA Smart Security Manager to version 4.1.0.4114 or later

Long-term hardening

0/3

HARDENINGIsolate LAquis SCADA systems and engineering workstations from the Internet and business network using firewalls

HARDENINGLimit local access to LAquis SCADA Smart Security Manager systems to authorized personnel only

HARDENINGIf remote access to LAquis SCADA systems is required, use a VPN with current security patches

CVEs (6)

CVE-2018-17893 CVE-2018-17895 CVE-2018-17897 CVE-2018-17899 CVE-2018-17901 CVE-2018-17911

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/24bef5f2-ba86-419e-b363-0cc23804d5c2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.