MatrikonOPC A&E Historian Health Monitor Service Arbitrary
MatrikonOPC A&E Historian Health Monitor Service Arbitrary File Disclosure Vulnerability
Release Date : 2013-04-30
Criticality level : Less critical
Impact : Exposure of sensitive information
Where : From local network
Solution Status: Vendor Patch
Software: MatrikonOPC A&E Historian 1.x
A vulnerability has been reported in MatrikonOPC A&E Historian, which can be exploited by malicious people to disclose certain sensitive information.
Certain input related to the Health Monitor service is not properly sanitised before being used to display files. This can be exploited to disclose contents of arbitrary files via directory traversal sequences by sending a specially crafted request to TCP port 8543.
The vulnerability is reported in version 184.108.40.206.
Apply security patch.
Provided and/or discovered by:
The vendor credits Dillon Beresford, Cimation via ICS-CERT.