October 28, 2017 Karn Ganeshen

[ICS] mySCADA myPRO Unquoted Search Path Vulnerability

Vendor: mySCADA
Equipment: myPRO
Vulnerability: Unquoted Search Path

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-255-01

CVE-ID
CVE-2017-5170

AFFECTED PRODUCTS
The following versions of myPRO, an HMI/SCADA management platform, are affected:

  • myPRO Versions 7.0.26 and prior.

BACKGROUND

Critical Infrastructure Sectors: Energy, Food and Agriculture, Transportation Systems, and Water and Wastewater Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Czech Republic

VULNERABILITY OVERVIEW

UNQUOTED SEARCH PATH OR ELEMENT CWE-428

Application services utilize unquoted search path elements, which could allow an attacker to execute arbitrary code with elevated privileges.

CVE-2017-12730 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Details

myscadaPro7 application installs seven (8) services. All these services run as LocalSystem by default, and suffer from an unquoted search path issue. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application.

 

IMPACT

Successful exploitation of this vulnerability may allow an authenticated, but non-privileged, local user to execute arbitrary code with elevated privileges.

+++++

Tagged: , , , , ,