Elcomplus SmartPTT SCADA Server

Act Now9.8ICS-CERT ICSA-22-109-05Apr 19, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SmartPTT SCADA Server v1.4 contains multiple vulnerabilities that allow an unauthorized attacker to upload arbitrary files, traverse the filesystem outside restricted directories, inject malicious data into the database, or bypass request forgery protections. These vulnerabilities could result in data exposure or unintended code execution on the SCADA server. Elcomplus has released Version 2.3.4 or later to address these issues.

What this means

What could happen

An attacker could upload malicious files, traverse the file system to access unauthorized data, store malicious content in the database, or execute unintended code on the SCADA server, potentially disrupting energy operations or exposing critical system information.

Who's at risk

Energy sector operators, particularly utilities running SmartPTT SCADA Server v1.4 for remote monitoring and control of generation, transmission, or distribution equipment.

How it could be exploited

An attacker with network access to the SmartPTT SCADA Server can exploit multiple weaknesses: upload arbitrary files via an unvalidated upload function (CWE-434), traverse the filesystem to access restricted files (CWE-35), inject malicious data into the trusted database (CWE-79), or bypass CSRF protections (CWE-352) to perform unauthorized actions. No authentication is required.

Prerequisites

Network access to the SmartPTT SCADA Server
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackCritical severity (CVSS 9.8)Multiple vulnerability typesNo patch available for v1.4 without upgrade

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

SmartPTT SCADA Server: v1.41.42.3.4

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to SmartPTT SCADA Server; ensure it is not reachable from the Internet

HARDENINGPlace SmartPTT SCADA Server behind a firewall and isolate it from the business network

WORKAROUNDUse VPN with multi-factor authentication for any required remote access to the SCADA server

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SmartPTT SCADA Server to Version 2.3.4 or later

CVEs (5)

CVE-2021-43932 CVE-2021-43938 CVE-2021-43934 CVE-2021-43930 CVE-2021-43937

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/df4d6326-fa37-44a5-9897-4909506c30d5