The below notice was made public on Monday to address a very minor potential security issue. To exploit it, you need to be able to log on with Windows credentials to a VTScada server and modify the files; i.e., this must be someone that you trust. The VTScada update limits the critical file access to administrator users on the computer. There is no imminent risk or need to upgrade immediately.
VTScada DLL Planting and Privilege Escalation Security Enhancements
There has been a security improvement implemented in VTScada 11.3.05 and higher versions to eliminate the risk that a trusted user logged in to the server running VTScada could introduce malware by planting DLLs or infecting VTScada executable files.
This is not a threat that could be exploited remotely via an internet connection; nevertheless, we take every opportunity to improve security to protect the critical operations of our customers.
To implement this enhancement, the VTScada binary files are now located in the Program Files folder. The implication of this is that existing shortcuts to VTScada must be changed to refer to the VTScada shortcut found in the installation folder.
We thank ICS-CERT for their help in identifying this potential vulnerability and for their work in keeping critical infrastructure safe.
About VTScada: VTScada is monitoring and control software for industrial systems. For over 31 years, VTScada has been used around the world in industries including water and wastewater, oil and gas, power generation, manufacturing, marine solutions, airport systems, and food and beverage.
For More Information: Contact Trihedral for information about downloading the latest version of VTScada.