GE released version 4.0 of its Communicator software that mitigates a heap-based buffer overflow, according to a report with ICS-CERT.
Communicator 3.15 and prior suffer from the remotely exploitable vulnerability, discovered by Kimiya, working with iDefense Labs (now part of Accenture Security). Communicator is an application for programming and monitoring supported metering devices.
Exploitation of the vulnerability could allow attackers to execute arbitrary code or create a denial-of-service condition.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
A malicious HTML file that loads the ActiveX controls could trigger the vulnerabilities via unchecked function calls.
CVE-2017-7908 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.6.
The product sees action in the critical manufacturing and energy sectors. It also sees use on a global basis.
Boston, MA-based GE recommends users update to the latest release, Version 4.0, to mitigate this vulnerability. Click here to obtain the latest version.