External risk intelligence

OpenPLC ScadaBR Stored Cross-Site Scripting Vulnerability

CVE advisoryKnown Exploit

CVE-2021-26829

A stored cross-site scripting vulnerability exists in OpenPLC ScadaBR, potentially allowing attackers to inject malicious code via system settings. This can impact system integrity and data confidentiality, affecting organizations by risking unauthorized access or data manipulation.

3Halo Surface Signal

Cross-site Scripting

Scadabr

0.9.1 and earlier1.12.4 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2021-26829

ScadaBR is a SCADA/HMI platform used for industrial automation and monitoring. While these systems are typically deployed within private operational technology (OT) networks or behind internal controls, they are frequently made accessible via web interfaces for remote monitoring and management, making internet reachability plausible in some deployment scenarios.

Horizon Alert

Summary of the vulnerability and why it matters

The OpenPLC ScadaBR system has a vulnerability that allows for the injection of malicious code through its system settings page. This flaw can lead to security breaches by enabling unauthorized actions or data manipulation. The impact can disrupt operations and compromise sensitive information.

Vulnerable component: ScadaBR system settings
Core weakness: Stored cross-site scripting
Main business impact: Unauthorized access and data compromise

Attack Path

How an attacker could exploit the issue

An attacker can exploit a stored cross-site scripting vulnerability in ScadaBR. This allows them to inject malicious scripts into the application that are then served to other users. These scripts can perform actions on behalf of the user, potentially leading to unauthorized access or modification of system settings. This impacts organizations by risking the integrity of their operational data and control systems.

Vulnerability exposed via web interface.
Attacker injects script via system settings.
Malicious script executes in user's browser.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker with limited access to an organization's network to execute malicious scripts within the web browser of another user. This could lead to the theft of sensitive information or the modification of data viewed by the user. The attacker's skill level is considered low, and exploitation requires specific user interaction, making the immediate business risk moderate. However, given its inclusion in a known exploited vulnerabilities catalog, organizations should prioritize addressing this.

Attacker skill level: Low.
Required access or conditions: Limited user access and user interaction.
Business risk or urgency: Moderate, but treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in OpenPLC ScadaBR allows for stored cross-site scripting, potentially impacting the integrity and confidentiality of data. Attackers with limited access could exploit this to inject malicious scripts, affecting users who interact with the system. Organizations utilizing ScadaBR should prioritize addressing this risk to protect their systems and sensitive operational data.

Locate all ScadaBR instances.
Reduce exposure by restricting access.
Implement vendor fixes and verify.
Monitor for related activities.

Frequently asked questions

What is OpenPLC ScadaBR and what is its purpose in industrial automation?

OpenPLC ScadaBR is a SCADA/HMI platform designed for industrial automation and monitoring. It provides a web-based interface for users to oversee and manage industrial processes, ensuring efficient and controlled operations.

What type of weakness does CVE-2021-26829 represent, and what is its classification?

CVE-2021-26829 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79. This means that an attacker can embed malicious scripts into the application, which can then be executed by other users' web browsers.

How can CVE-2021-26829 be exploited, and what is the specific entry point for an attacker?

An attacker can exploit this vulnerability by injecting malicious scripts through the system_settings.shtm page within ScadaBR. This flaw is triggered when the affected page is accessed by a user, allowing the script to execute within their browser session.

What is the relevance of CVE-2021-26829 given its inclusion in a known exploited vulnerabilities catalog?

The inclusion of CVE-2021-26829 in a known exploited vulnerabilities catalog indicates that it has been actively targeted by malicious actors. This elevates the urgency for organizations to address the vulnerability to prevent potential compromise, as it signifies a known attack vector being used in the wild.

What steps should organizations take to respond to the OpenPLC ScadaBR stored cross-site scripting vulnerability?

Organizations should identify all instances of OpenPLC ScadaBR, restrict external access to limit exposure, and apply any available vendor-provided fixes. Verification of applied patches and ongoing monitoring for suspicious activities are also crucial steps in mitigating the risk posed by this vulnerability.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.