CVE-2018-18986

Vulnerability

LAquis SCADA versions prior to 4.1.0.4150 (specifically version 4.1.0.3870 is confirmed affected) contain an out-of-bounds read vulnerability (CWE-125) triggered when opening a specially crafted report format file. This occurs due to improper input validation, allowing an attacker to cause the application to read memory outside the bounds of an allocated buffer. The issue is referenced in ICS-CERT advisory ICSA-19-015-01 [1].

Exploitation

An attacker can exploit this vulnerability remotely by delivering a malicious report format file to a user. The victim must open the file in the LAquis SCADA application. No authentication is required, and the attack requires low skill, as detailed in the advisory [1]. The exact sequence involves crafting a report file that triggers an out-of-bounds read upon parsing.

Impact

Successful exploitation could lead to a system crash, data exfiltration, or remote code execution. The CVSS v3 base score is 7.8, with a vector string indicating high impact on confidentiality, integrity, and availability, but requiring user interaction [1]. The attacker can gain the same privileges as the user running the SCADA software.

Mitigation

Upgrade to LAquis SCADA version 4.1.0.4150 or later, as this version contains the fix. The advisory was published on 2019-02-05. No workarounds are mentioned in the available references, and this vulnerability is not listed on the CISA KEV catalog [1].