MICROSYS, spol. s r.o. created a new version that mitigates a stack-based buffer overflow vulnerability in its PROMOTIC application, according to a report on ICS-CERT.
An anonymous researcher working with HP’s Zero Day Initiative (ZDI) discovered the remotely exploitable issue.
The following PROMOTIC versions suffer from the vulnerability:
• PROMOTIC versions prior to stable 8.2.19
• PROMOTIC versions prior to development 8.3.2
Successful exploitation of this vulnerability may result in denial of service or data leakage.
MICROSYS, spol. s r.o. is a Czech company with headquarters in Ostrava.
The affected product, PROMOTIC, is a Microsoft Windows-based supervisory control and data acquisition human-machine interface (SCADA/HMI) software programming suite for creating applications that monitor, control, and display technological processes. This suite also includes support for a web interface.
According to MICROSYS, spol. s r.o., PROMOTIC works across several sectors including critical manufacturing, energy, water and wastewater systems, and others. The PROMOTIC system primarily sees use in the Czech and Slovak Republics. It also sees action in Poland, Hungary, Slovenia, Serbia, Bulgaria, and Romania.
A demonstration application contains a stack-based overflow. This is only vulnerable when this application is running, which limits this vulnerability’s exposure.
CVE-2014-9205 is the case number assigned to this vulnerability and ZDI assigned a CVSS v2 base score of 7.5.
No known public exploits specifically target this vulnerability. An attacker with a low skill level would be able to exploit this vulnerability, if the vulnerable demonstration application is running.
MICROSYS, spol. s r.o. recommends that customers with affected versions of PROMOTIC update their installations by downloading the latest version and installation instructions from the MICROSYS, spol. s r.o. web site:
MICROSYS, spol. s r.o. produced a news release that contains additional information about new features and bug fixes for available stable and developmental PROMOTIC software versions.