Carrier reports critical flaw in WebCTRL Premium Server and related products

Carrier is reporting multiple security vulnerabilities affecting their Automated Logic WebCTRL Premium Server and related products, with the most severe vulnerability potentially allowing complete system compromise.

Vulnerability summary

• CVE-2024-8525 (CVSS score 10.0) - Unrestricted File Upload Vulnerability, allows unauthenticated attackers to upload dangerous file types without restrictions, potentially leading to remote command execution on the server hosting WebCTRL.
• CVE-2024-8526 (CVSS score 6.5) - URL Redirection Vulnerability, enables attackers to craft malicious URLs that can redirect authenticated WebCTRL users to malicious websites through the "index.jsp" endpoint.

The vulnerabilities affect multiple products in their ecosystem, including WebCTRL® Server, Carrier i-Vu, SiteScan Web, and WebCTRL for OEMs, all at version 7.0. The affected products are deployed worldwide and are particularly relevant to the Critical Manufacturing sector.

Automated Logic has released software updates to address these vulnerabilities, though it's important to note that version 7.0 reached its end of support on January 27, 2023. The company strongly recommends customers upgrade to the latest supported version, with the URL redirection vulnerability being fixed in version 8.0 for all impacted products.

For immediate mitigation, organizations are advised to:

1. Minimize network exposure for control system devices
2. Place control system networks behind firewalls and isolate them from business networks
3. Use secure methods like VPNs for remote access, ensuring they are kept updated
4. Follow Automated Logic's Security Best Practices Checklists for Building Automation Systems

CISA reports that there is no known public exploitation of these vulnerabilities at the time of disclosure.