ICSA-19-157-01 · Published 2019-06-06 · View on CISA ICS-CERT ↗

Optergy Proton Enterprise Building Management System

CVSS 10.0 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution and gain full system access.

CVEs (7)

CVE-2019-7272 CVE-2019-7277 CVE-2019-7273 CVE-2019-7274 CVE-2019-7275 CVE-2019-7276 CVE-2019-7278

Remediations

Update Optergy server to Version 2.4.5 (or later) to remediate the issues described in this advisory (Proton and Optergy Enterprise).
Contact an Optergy Reseller who has access to this no charge software update.
If unsure who to contact, send email to [email protected]
The latest Optergy software updates include important security updates including enhancements to prevent unwanted intrusion. In addition to these software updates, Optergy emphasizes it is important for users to ensure the site network is also secure to add an extra layer of security. To keep the Optergy system safer from unintended access, Optergy recommends the following:
Close Port 22 or disable port forwarding to Optergy server for Port 22 (SSH). This port is only used for technical support to remotely diagnose problems. If Port 22 is needed, open only for the duration of the support activity. Default state should be closed.
Use secure SSL (Secure Socket Layer) connections when crossing Internet, this means using an enterprise LAN that has firewalls and routers to block incoming traffic. Alternatively, deploy the Optergy OpenVPN, which is built in and offers encrypted communication. Optergy supports SSL for encrypted communication.
Use strong passwords. A strong password has a minimum of 12 characters, includes numbers, symbols, capital letters, lowercase letters, is not a Dictionary word or combination of Dictionary words, and doesn't rely on obvious substitutions.
Never share passwords. Concurrent logins can be prevented in web server and portal preferences.
Use expiring passwords. Users of the system come and go, an expiring password will at least keep out people who may be no longer authorized to use the system.
Always regularly update your software. Optergy updates always include stability, security, and other enhancements to maximize performance and reduce risk of downtime.

Affected Vendors

Optergy

Affected Products (1)

Optergy · Proton/Enterprise <= 2.3.0a

Affected Sectors

Commercial Facilities, Government Facilities

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more