Full Report
A Denial of service vulnerability exists in PcVue 12, due to the ability for a non-authorized user to modify information used to validate messages sent by legitimate web clients.
Analysis Summary
# Vulnerability: Denial-of-Service in ARC Informatique PcVue Property Server
## CVE Details
- **CVE ID:** CVE-2020-26868
- **CVSS Score:** 7.5 (High)
- *Note: While the source text lists a calculation error of 0.0, the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` equates to a 7.5 High severity.*
- **CWE:** CWE-767 (Access to Critical Private Variable via Public Method)
## Affected Systems
- **Products:** ARC Informatique PcVue (Web & Mobile extensions including Property Server)
- **Versions:** 12.0.7 through 12.0.22 (Fixed in 12.0.23)
- **Configurations:** Systems utilizing WebVue, WebScheduler, or the TouchVue mobile app where the Property Server is accessible via port 8090/TCP.
## Vulnerability Description
A Denial of Service (DoS) vulnerability exists in the PcVue Property Server due to improper access control. An unauthorized user can remotely modify internal information used by the server to validate messages. By altering these validation parameters, an attacker can cause the server to fail the validation of legitimate messages sent by authorized web clients.
## Exploitation
- **Status:** Proof of Concept (PoC) available
- **Complexity:** Low
- **Attack Vector:** Network (Port 8090/TCP)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Prevents legitimate users from connecting or operating via WebVue, WebScheduler, or TouchVue)
## Remediation
### Patches
- **Update to PcVue v12.0.23 or newer.** Product updates can be found at: `https[:]//www[.]pcvuesolutions[.]com/index.php/support-a-services/product-updates`
### Workarounds
- **Feature Minimization:** If the system does not require Web & Mobile features, do not install these extensions.
- **Service Isolation:** Ensure Web & Mobile extensions are only installed on the PcVue Web back-end server.
- **Network Access Control:** Configure border firewalls to allow only authorized traffic to reach `8090/TCP`.
## Detection
- **Indicators of Compromise:** Unusual connectivity failures for WebVue or TouchVue users; unexplained modification of server validation parameters.
- **Detection methods and tools:**
- Implement a Network Intrusion Detection System (NIDS) to monitor for abnormal traffic on port 8090/TCP.
- Monitor network logs for unauthorized IP addresses attempting to communicate with the Property Server.
## References
- **Kaspersky ICS CERT:** `https[:]//ics-cert[.]kaspersky[.]com/advisories/2020/10/09/klcert-20-016-denial-of-service-in-arc-informatique-pcvue/`
- **NVD:** `https[:]//nvd[.]nist[.]gov/vuln/detail/CVE-2020-26868`
- **Vendor Advisory:** `https[:]//www[.]pcvuesolutions[.]com`