CISA issues alert on Automated Logic WebCTRL premium server vulnerabilities

Automated Logic's WebCTRL Premium Server and associated products are affected by vulnerabilities involving open redirect and Cross-Site Scripting (XSS) weaknesses, potentially allowing attackers to redirect users to untrusted locations or execute harmful scripts.

The vulnerabilities include CVE-2024-8527, related to Open Redirect (CWE-601), affecting WebCTRL Server and Carrier i-Vu versions 6.1 through 8.5, along with Automated Logic SiteScan Web and Original Equipment Manufacturer (OEM) versions in the same range. This issue arises when the application accepts a user-supplied URL and redirects without validation. CVE-2024-8527 has Common Vulnerability Scoring System (CVSS) v3.1 and v4 base scores of 9.3 and 8.6, respectively. CVE-2024-8528 concerns XSS (CWE-79) due to insufficient sanitization of the “wbs” GET parameter in WebCTRL, impacting the same product versions. CVE-2024-8528 bears CVSS v3.1 and v4 scores of 7.5 and 5.4, respectively.

Exploitation may enable remote attackers to trick legitimate users into executing malicious scripts or redirect to harmful websites.

Automated Logic has addressed these issues in WebCTRL version 9.0. Earlier versions such as WebCTRL 6.1 and 7.0, and i-Vu 6.0 are no longer supported. Users are encouraged to upgrade to the fixed version and follow Automated Logic's security best practices documentation.

Users should reduce network exposure of control system devices, restrict internet accessibility, and use firewalls to isolate control networks from business systems. If remote access is necessary, more secure connections like VPNs should be employed, keeping in mind VPNs must be current and secured. Organizations are advised to conduct impact assessments before applying defenses.

Additional resources on control system security and cyber defense strategies are available, and suspected malicious activity should be reported to relevant authorities. Preventive measures against social engineering include avoiding clicking unsolicited links and attachments, as outlined in established guidelines. No public exploitation of these vulnerabilities has been reported, and these issues are not remotely exploitable.