CVE-2017-17974

Name of the Vulnerable Software and Affected Versions BA SYSTEMS BAS Web versions on BAS920 devices with Firmware 01.01.00*, HTTPserv 00002, and Script 02.* BA SYSTEMS BAS Web versions on ISC2000 devices

Description The issue allows remote attackers to obtain sensitive information by making a request for "isc/get sid js.aspx" or "isc/get sid.aspx". This can lead to obtaining administrative access by using the credential information for the Supervisor/Administrator account.

Recommendations For BA SYSTEMS BAS Web on BAS920 devices with Firmware 01.01.00*, HTTPserv 00002, and Script 02.*, restrict access to the "isc/get sid js.aspx" and "isc/get sid.aspx" endpoints to minimize the risk of exploitation. For BA SYSTEMS BAS Web on ISC2000 devices, avoid using the Supervisor/Administrator account until the issue is resolved. As a temporary workaround, consider disabling the HTTPserv and Script components on both BAS920 and ISC2000 devices until a patch is available.