LCDS—Leão Consultoria e Desenvolvimento de Sistemas LTDA ME has a new version to mitigate an out-of-bounds write vulnerability in its LAquis SCADA, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by Mat Powell, working with Zero Day Initiative, could allow remote code execution.
Industrial automation software version SCADA 184.108.40.20650 suffers from the vulnerability.
In the vulnerability, by opening specially crafted ELS file may result in a write past the end of an allocated buffer, which may allow an attacker to execute remote code in the context of the current process.
CVE-2019-6536 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
The product sees use in the chemical, commercial facilities, energy, food and agriculture, transportation systems, and water and wastewater systems sectors. The product sees use mainly in South America.
This vulnerability is exploitable locally. No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Brazil-based LCDS recommends users update to Version 220.127.116.11.