Skip to main content

A Coordinated Disclosure Success Story

 

  • Vulnerabilities were found in the versiondog version 8.0.
  • All vulnerabilities were fixed as part of versiondog 8.1 (released in October 2020) and all later versions.
  • No known public exploits target these vulnerabilities (Source: Cyber and Infrastructure Security Agency)
  • versiondog offers the highest possible security, only if you are using the latest version.
  • AUVESY recommends upgrading versiondog to the latest version, currently version 9.0.


By Stefan Jesse (COO) AUVESY GmbH, Franziska Klostermann (Head of Marketing) AUVESY GmbH and Claroty


There are times when vulnerability research can turn adversarial.

Affected vendors can become defensive about white-hat researchers poking around their networks or software, especially when there aren’t adequate internal processes in place to triage and respond to bug reports. 

Researchers can then become frustrated over mitigation delays and publicly threaten to disclose details, while some affected vendors have been known to then respond by taking legal action or attempting to discredit the researcher. 

Customers, meanwhile, remain exposed to hackers as the two sides duke it out and vulnerabilities aren’t addressed in a timely manner.

Thankfully security research has matured as a practice, vulnerability and patch management programs are standard inside enterprises, and those scenarios are increasingly few and far between. Claroty Team82’s research partnership with AUVESY is one such success story. 

Team82 last year disclosed critical vulnerabilities (spanning 15 different CVEs) in the AUVESY’s flagship version-control and automation backup product, versiondog. The security flaws could have enabled an advanced attacker to remotely exploit these vulnerabilities to run code of their choice in order to establish a fully working remote shell that would allow for reading or writing files, executing database queries, and much more. AUVESY has patched all of the vulnerabilities as part of versiondog 8.1 and all later versions; ICS-CERT has also released an advisory with vulnerability and mitigation information. 

versiondog runs inside some of the largest industrial enterprises in the world to automatically store software versions, document them, and securely back up data that can be compared to current error-free versions in order to ensure plants run efficiently. Any disruption or manipulation of the information handled by the product could have devastating consequences to the safety and integrity of an industrial process. 

Two-plus decades of software development inside enterprises has demonstrated that vulnerabilities are inevitable. A timely, coordinated response from an affected vendor indicates a level of responsibility to customers and the ICS domain to ensure that products are safe and reliable to use. versiondog’s level of diligence in its engagement with Claroty went beyond a one-time patching of a handful of vulnerabilities. 
 

Addressing Root Cause Paves Way to Safer Ecosystem

AUVESY management and engineers solved the problem by addressing the root cause of the issue by scanning its entire codebase and properly understanding the building blocks of its product to wipe out a class of vulnerabilities, rather than a one-off patching and mitigation exercise.

AUVESY was also prompted by this disclosure to examine and improve its product and development lifecycles in order to keep future vulnerabilities to a minimum and ultimately improve its overall security posture.

The company, a leader in data management for automated production environments, has a team of internal security experts working on testing and improving its products. In addition to effectively safeguarding customers data, customers benefit from high plant availability and keep downtime to an absolute minimum. AUVESY also relies on the input and feedback of external researchers in order to ensure product security is maintained at the highest level. In addition to a close strategic partnership with Claroty, a recognized security expert, AUVESY also relies on feedback from partners and customers.

 

Claroty Team82’s Research

AUVESY has patched or provided mitigations for all of the vulnerabilities privately disclosed by Team82. The vulnerabilities were found in the versiondog OS Server API, Scheduler, and WebInstaller in versiondog version 8.0. All vulnerabilities were fixed as part of versiondog 8.1 (released in October 2020) and all later versions. Some of the versiondog components affected by the vulnerabilities discovered by Team82 include:

  • versiondog OS Server API
    versiondog’s OS Server is a Windows service that processes versiondog API requests via a proprietary protocol. Team82 researchers discovered critical vulnerabilities in almost all mechanisms related to its message processing, including a lack of security checks, improper parameter sanitation, and unauthenticated remote interactions with a low-level Windows API.
     
  • versiondog SchedulerThis service enables the user to start and stop jobs. Team82 found a number of issues, including SQL injection vulnerabilities that allow an attacker to inject a query that contains a malicious payload.
     

  • versiondog Web-Installer
    The product’s installer is a Golang web server executable that enables generation of an AUVESY image agent. Team82 found a resource consumption vulnerability that can be triggered by generating large numbers of installations that are saved in a temp folder and can consume all free space on the disk, preventing check in/out operations.

CVE Information can be found here: https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01


Recommendations

Team82’s research partnership with AUVESY is an illustration of how coordinated disclosures between researchers and affected vendors can result in positive change. Not only did AUVESY promptly address numerous critical vulnerabilities in its flagship versiondog product, but it also was prompted to evaluate the security culture inside its organization.

Rather than merely push out important patches to its customers, the company decided to take the opportunity to examine its product and secure development practices, look for root causes for these and other security issues, and instill a new attitude and approach internally that focuses on security first.

This is a true success story we wanted to share. Given the results of our Biannual ICS Risk & Vulnerability Report for the 1H 2021, more eyes are looking for vulnerabilities in industrial control systems, SCADA equipment, and operational technology networks. In the first half of 2021 alone, 637 vulnerabilities were disclosed and patched, many of those in products sold by leading vendors in the ICS domain. Also, 42 new researchers disclosed vulnerabilities for the first time to affected vendors.

Those numbers are sure to continue to grow, and organizations must look at their vulnerability management programs, implement processes to accept, triage, and respond to bug reports, and assert themselves as responsible members of the ICS domain that put security first.