CVE-2024-39287 Dorsett Controls CVE debrief

Who should care

Organizations operating Dorsett Controls InfoScan industrial control systems, particularly those managing building automation or facility control networks where InfoScan Central Server is deployed. Security teams responsible for ICS/OT asset management and credential security should prioritize this update.

Technical summary

The Dorsett Controls InfoScan Central Server update server hosts an unprotected file containing passwords and API keys. This file is accessible to unauthenticated network attackers, resulting in information disclosure. The vulnerability affects InfoScan versions 1.32, 1.33, and 1.35. The CVSS 3.1 score of 5.3 reflects network accessibility, low attack complexity, no required privileges or user interaction, and limited confidentiality impact with no integrity or availability effects. The vendor has addressed this in version 1.38.

Defensive priority

medium

Recommended defensive actions

• Update InfoScan to version 1.38 or later through the System Prefs > Maintenance > Install Now workflow
• If internet access is unavailable, download the update from the Dorsett Controls Customer Portal InfoScan Update tile and follow portal instructions
• Review and rotate any exposed passwords and API keys that may have been present in the unprotected file
• Restrict network access to the Central Server update server to authorized administrative hosts only
• Monitor for unauthorized access attempts to the update server and credential-related anomalies

Evidence notes

CISA ICS advisory ICSA-24-221-01 confirms the vulnerability exists in Dorsett Controls InfoScan versions 1.32, 1.33, and 1.35. The advisory identifies an unprotected file on the Central Server update server containing passwords and API keys. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N indicates network-accessible, low-complexity, unauthenticated information disclosure with no integrity or availability impact.

Official resources