Operation technology environment – Staying Alert! (CVE-2020-15492)

Preface: Computer technology enlightens the automation industry. Due to modern CNC (Computer Numeric Control) technology, tiny parts are easy to produce. Who is the hero of this industry? I believe it is CAD technology.

Background: CAD administrators use INNEO “Startup TOOLS” to manage working environments including licenses and standardized library elements and maintain their correct configuration. Users are relieved of routine tasks and can easily place many design elements instead of having to design them from scratch.
This is one of the reasons why companies rely on INNEO “Startup TOOLS” to make their work easier and more efficient.

Vulnerability details: An issue was discovered in INNEO Startup TOOLS 2017 M021 through 2018 M040 The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.

Observation: INNEO Startup TOOLS (2018 M040 uses PHP version 5.2.13. So attacker can rely on the PHP programming to conduct the null-byte injection attack. Perhaps the intellectual property might at risk.

Remedy: The vendor has a newer version 6.x.x.x and ongoing which is the successor of the deprecated versions of 2018 and before.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.