AGG Software Web Server Plugin

Plan Patch8.2ICS-CERT ICSA-21-161-02Jun 10, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The AGG Web Server plugin versions 4.0.40.1014 and earlier contain path traversal (CWE-23) and cross-site scripting (CWE-79) vulnerabilities. These allow an unauthenticated attacker on the network to read arbitrary system files and execute remote code on the data logger. The plugin may be bundled with any AGG data logger product.

What this means

What could happen

An attacker could run arbitrary code on your data logger's web server, potentially altering logged data or extracting sensitive system files. An attacker could also read arbitrary files from the system.

Who's at risk

Water and electric utility operators using AGG Software data loggers with the bundled Web Server plugin (v4.0.40.1014 or earlier) for remote monitoring or configuration. This affects any facility using these loggers for sensor data collection or equipment monitoring accessible over a network.

How it could be exploited

An attacker on the network can send a specially crafted HTTP request to the web server plugin without authentication. The vulnerability allows path traversal (CWE-23) to read arbitrary files and cross-site scripting (CWE-79) to inject malicious content. This could lead to code execution or data exposure.

Prerequisites

Network access to the web server plugin port (typically HTTP/443 or custom port)
No authentication required
Data logger with Web Server plugin version 4.0.40.1014 or earlier must be reachable

Remotely exploitableNo authentication requiredLow complexity attackAffects data integrity and confidentialityHigh CVSS score (8.2)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Web Server: v4.0.40.1014 and prior (webserver.dll)≤ 4.0.40.10144.0.42 Build 512

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate data logger devices and web interfaces behind a firewall; restrict network access to only authorized engineering and monitoring workstations

WORKAROUNDIf remote access to the data logger is required, use a VPN with current security patches and strong authentication instead of exposing the web server directly to the Internet

HARDENINGConduct network discovery to identify all AGG data loggers running the Web Server plugin and verify their current firmware versions

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AGG Web Server plugin to version 4.0.42 Build 512 or later on all affected data loggers

CVEs (2)

CVE-2021-32964 CVE-2021-32962

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b4238da8-59c5-47b3-8be3-5a60301d8e99