SUBNET PowerSYSTEM Center

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to upload malicious scripts or perform a denial-of-service type attack.

CVEs (2)

Remediations

• SUBNET Solutions has fixed these issues by enabling a file integrity check on uploaded images and anti-forgery tokens to prevent replay attacks. The fix was introduced in PowerSYSTEM Center update 12 as well as Update 8+Hotfix (both identified by release number 5.12.2305.10101, which can be located in Settings/Overview/Version).
• SUBNET Solutions recommends users to follow the following workarounds:
• Users should verify that SVG files do not contain HTML elements or scripts and validate that JPG and PNG files are not SVG files.
• Users should verify network security rules to ensure that outbound connections to the internet are not possible.
• If the above cannot be performed or notifications are not required, disable email notifications for reports from PowerSYSTEM Center.
• Monitor user activity and ensure application control rules only allow preauthorized executables to run.
• Deny users to run other executables on client access servers (PowerSYSTEM Center front end access point).

Affected Vendors

Affected Products (1)

Affected Sectors

Critical Manufacturing