GE has a new version available to mitigate a heap-based buffer overflow in its Communicator product, according to a report with NCCIC.
Exploitation of Communicator remotely exploitable vulnerability, discovered by Kimiya, working with iDefense Labs (now part of Accenture Security), could allow attackers to execute arbitrary code or create a denial-of-service condition.
An application for programming and monitoring supported metering devices, third party product Gigasoft, v5 and prior included in Communicator 3.15 and prior.
A malicious HTML file that loads the ActiveX controls trigger the vulnerability via unchecked function calls.
CVE-2017-7908 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.6.
The product sees use mainly in the critical manufacturing and energy sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
GE recommends users update to Version 4.0 or the latest available release, to mitigate this vulnerability. Click here to download the update.