security advisory

[ICS] Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

[ICS] Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Interactive Graphical SCADA System (IGSS) Software
Vulnerability: DLL Hijacking

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01

AFFECTED PRODUCTS
Schneider Electric reports that the vulnerability affects the following IGSS HMI desktop application:
IGSS Software, Version 12 and previous versions.

IMPACT
An attacker who exploits this vulnerability may be able to remotely execute arbitrary code.

Vulnerable Libraries:

Application Executables (that look for missing DLL):

Application Executables (that look for missing OCX):

Steps to reproduce

 

VULNERABILITY OVERVIEW
UNCONTROLLED SEARCH PATH ELEMENT CWE-427
The software will execute a malicious file if it is named the same as a legitimate file and placed in a location that is earlier in the search path.

CVE-2017-6033 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

+++++

Leave a Reply

Your email address will not be published. Required fields are marked *