VISAM Automation Base (VBASE) (Update B)

Act Now9ICS-CERT ICSA-20-084-01Mar 24, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

VISAM Automation Base (VBASE) Editor contains multiple critical vulnerabilities that allow an attacker to read unexpected files via path traversal, escalate privileges to system level, execute arbitrary code, bypass security mechanisms, and discover the cryptographic key used for web login authentication. Affected version: 11.5.0.2 and earlier. The vulnerabilities include CWE-23 (path traversal), CWE-276 (incorrect permission assignment), CWE-326 (weak cryptography), CWE-922 (insecure direct object reference), and CWE-121 (stack-based buffer overflow).

What this means

What could happen

An attacker with network access to VBASE Editor could read sensitive files, escalate to system-level privileges, and execute arbitrary code on the engineering workstation, potentially compromising the entire automation system if the workstation has access to production PLCs or control networks.

Who's at risk

VISAM automation integrators and water/electric utilities using VBASE Editor for PLC programming and configuration. This affects engineering workstations that develop and deploy automation logic to production control systems. Risk is highest if the workstation has direct network connectivity to production PLCs, remote terminal servers, or is accessible from business networks.

How it could be exploited

An attacker with network access to a machine running VBASE Editor could exploit multiple vulnerabilities including path traversal (CWE-23) and privilege escalation (CWE-276) to read files outside the intended directory, gain system-level access, and execute arbitrary code. The weak cryptographic key (CWE-326) also allows the attacker to discover the web login credentials used for VBASE management.

Prerequisites

Network access to the VBASE Editor application (typically port 80/443)
VBASE Editor version 11.5.0.2 or earlier running on Windows workstation

remotely exploitableno authentication requiredallows arbitrary code executionallows privilege escalation to system levelaffects engineering workstations with access to control systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

VBASE Editor:11.5.0.211.7.0.2 or later

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to VBASE Editor to only authorized engineering workstations using firewall rules or network segmentation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate VBASE Editor to version 11.7.0.2 or later

Long-term hardening

0/1

HARDENINGIsolate the automation engineering network from the business network and external internet connectivity

CVEs (5)

CVE-2020-7008 CVE-2020-7004 CVE-2020-10601 CVE-2020-7000 CVE-2020-10599

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4ca303bb-af87-4193-bd4b-048e06bf5616