External risk intelligence

ScadaBR Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2021-26828

A vulnerability in OpenPLC ScadaBR permits authenticated users to upload and execute JSP files, potentially leading to unauthorized code execution. This can affect system integrity and data confidentiality for organizations. The risk to business operations and sensitive data is high.

3Halo Surface Signal

Unrestricted File Upload

Scadabr

0.9.1 and earlier1.12.4 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2021-26828

ScadaBR is a SCADA/HMI platform typically deployed in industrial or internal control environments. While it provides a web interface that can be exposed to the internet, such systems are generally protected by network segmentation, VPNs, or firewalls. Internet-facing exposure is possible depending on the deployment, but it is not a standard public-facing web service.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists within OpenPLC ScadaBR software, affecting both Linux and Windows operating systems. This flaw allows authenticated users to upload and execute JavaServer Pages (JSP) files, potentially leading to unauthorized code execution. The impact of this vulnerability could involve the compromise of system integrity and data confidentiality for affected organizations.

Vulnerable component: OpenPLC ScadaBR
Core weakness: Arbitrary file upload and execution
Main business impact: System compromise and data risk

Attack Path

How an attacker could exploit the issue

Attackers can exploit a vulnerability in OpenPLC ScadaBR to gain unauthorized control over affected systems. This attack requires an attacker to first gain authenticated access to the system. Once authenticated, the attacker can upload and execute arbitrary JavaServer Pages (JSP) files. This action can lead to the attacker gaining significant control over the compromised system, potentially impacting operations and data.

Authenticated access required
Upload and execute JSP files
Gain system control

Live Threat

Current exploitation, exposure, and threat context

An authenticated user could upload and run arbitrary code on affected systems. This vulnerability could allow an attacker to gain control of the system, potentially leading to significant disruption or data compromise. Organizations should consider this a high-priority issue.

Requires authenticated access.
Attackers with low skill can exploit.
Business risk is high, treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows authenticated users to upload and execute arbitrary code, posing a significant risk to affected systems. Organizations should prioritize identifying and mitigating their exposure to this vulnerability. Prompt action is necessary to protect business operations and sensitive data from potential compromise.

Identify exposed assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What is OpenPLC ScadaBR and what is its purpose in industrial environments?

OpenPLC ScadaBR is a software platform designed for Supervisory Control and Data Acquisition (SCADA) and Human-Machine Interface (HMI) functionalities. It is utilized in industrial settings to oversee and manage operational systems, enabling remote monitoring and control.

What type of vulnerability does CVE-2021-26828 represent, and what is the weakness class?

CVE-2021-26828 is classified as CWE-434, an 'Unrestricted Upload of File with Dangerous Type' weakness. This allows an attacker to upload files that the system should not permit, potentially leading to the execution of unauthorized code.

How can an authenticated attacker exploit the ScadaBR vulnerability to execute arbitrary code?

An attacker with authenticated access to ScadaBR can exploit this vulnerability by uploading and executing arbitrary JSP files through the view_edit.shtm interface. This allows them to gain significant control over the compromised system.

What is the potential impact of CVE-2021-26828 on an organization's operations and data?

This vulnerability presents a high risk, as it can lead to unauthorized code execution and system compromise. The potential impacts include disruption of operations, breaches of data confidentiality, and a general risk to system integrity. It is considered an urgent issue requiring prompt attention.

What are the recommended actions for organizations to address the ScadaBR vulnerability?

Organizations should prioritize identifying all exposed ScadaBR assets, reducing their exposure or isolating the risk, and then applying necessary fixes. Verification of the fix and continuous monitoring are crucial steps to protect business operations and sensitive data from compromise.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.