Orpak SiteOmat (ICSA-19-122-01) – Product Used in the Energy Sector

The NCCIC has published an advisory on use of hard-coded credentials, cross-site scripting, SQL injection, missing encryption of sensitive data, code injection, and stack-based buffer overflow vulnerabilities in Orpak SiteOmat. Versions prior to 6.4.414.122 and 6.4.414.084 are affected. Successful exploitation of these vulnerabilities could result in arbitrary remote code execution resulting in possible denial-of-service conditions and unauthorized access to view and edit monitoring, configuration, and payment information. Orpak recommends users of affected versions update to the latest release v6.4.414.139 or later. The NCCIC also provides a series of recommendations for addressing the vulnerabilities. Read the advisory at NCCIC/ICS-CERT.