Applied Risk researcher, Gjoko Krstic, has identified a security vulnerability in the Sauter CASE Suite, a software package used to handle building automation projects with energy-efficient strategies and methods. The impact of this vulnerability is that an unauthenticated user can craft a malicious XML data file that allows them to access sensitive information or configuration files, potentially impacting the availability of the affected application.

The Sauter CASE Suite is a building management software that is used for project engineering and control functions of building management systems within both office and industrial environments. The application suffers from an XML External Entity (XXE) vulnerability, which can be used to cause a Denial of Service (DoS) condition via a specially crafted XML file.

This vulnerability is classified as high risk and has therefore been given a CVSS (Common Vulnerability Scoring System) of 8.6. Applied Risk has worked alongside Sauter in the responsible disclosure process, with the vendor releasing a patch within 10 days of disclosure by ICS-CERT on October 15th. It is recommended to organisations utilising the Sauter CASE Suite building automation software to update to the latest version.

The updates are available via the following link: https://www.sauter-controls.com/en/products-sauter/product-details/pdm/gzs-100-150-case-suite.html

To read an overview of the SAUTER CASE Suite advisory, please visit: https://applied-risk.com/application/files/7715/4115/4554/Sauter_Case_Suite_XXE_OOB_Vulnerability.pdf 

Sauter Automation has provided the following statement regarding this vulnerability and subsequent action taken:

The identified vulnerability is associated with CASE Components, a configuration tool included in the Sauter engineering package CASE Suite. CASE Components is a configuration tool for a limited range of peripheral products. Case Components is not used to engineer/configure Sauter’s Building Automation Stations. Any malicious xml file must be imported into CASE Components and in order to do this, the perpetrator must have access to a computer running CASE Components. Further, CASE Suite (Components) is an individually licenced engineering tool and as such is not installed on clients’ sites.

Following the identification of this vulnerability Sauter updated the XML parser to ensure stronger constraints were applied. Service Release 1 of CASE Suite 3.10 includes this corrective measure and this was issued within 10 days.

Sauter takes the security of its products extremely seriously and it will provide timely solutions to identified vulnerabilities as appropriate. Sauter would like to thank Applied Risk and ICS-CERT for their support.

For more details, please visit www.sauterautomation.co.uk/en.html