Progea has not provided an update to address the uncontrolled search path element and unquoted search path or element vulnerabilities in its Movicon SCADA/HMI, according to a report with ICS-CERT. Progea did, however, issue a knowledge base article about DLL Hijacking.
An HMI software platform, Movicon Version 11.5.1181 and prior suffer from the remotely exploitable vulnerabilities, discovered by Karn Ganeshen.
Successful exploitation of these vulnerabilities could allow privilege escalation or arbitrary code execution.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
An uncontrolled search path element vulnerability may allow a remote attacker without privileges to execute arbitrary code in the form of a malicious DLL file.
CVE-2017-14017 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.8.
An unquoted search path or element vulnerability may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate his or her privileges.
CVE-2017-14019 is the case number has been assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
The product sees use in the critical manufacturing, energy, food and agriculture, transportation systems, and water and wastewater systems sectors. It also sees action mainly in Europe, India, and the United States.
Italy-based Progea released a knowledge base article about DLL Hijacking. Click here to view the article.
ICS-CERT does suggest users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Users should:
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.