Moxa created a new version to mitigate an unquoted service path escalation vulnerability in its Active OPC Server application, according to a report with ICS-CERT.
Zhou Yu, the independent researcher that discovered the vulnerability, tested the new version to validate it resolves the vulnerability.
Active OPC Server versions older than Version 2.4.19 suffer from the issue.
Successful exploitation of this vulnerability could potentially allow an authorized but nonprivileged local user to execute arbitrary code with elevated privileges on the system.
Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil.
The affected product, Active OPC Server, is a software package that operates as an OPC driver for an HMI or SCADA system. Active OPC Server sees action across several sectors including commercial facilities, critical manufacturing, energy, and transportation systems. Moxa said this product sees use primarily in the United States and Europe with a small percentage in Asia.
The unquoted service path vulnerability allows an authorized individual with access to a file system to possibly escalate privileges by inserting arbitrary code into the unquoted service path.
CVE-2016-5793 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
This vulnerability is not exploitable remotely and cannot end up exploited without local authorized user credentials.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Moxa recommends replacing existing Active OPC Server installations with the new software MX-AOPC UA server. Active OPC Server is nearing end of life by the end of 2016, and no further updates will end up issued.
For existing Active OPC installations, Moxa suggests upgrading to Active OPC Server Version 2.4.19.
If a user needs more information about patching, Moxa recommends contacting the Moxa Technical Support team or visit the Moxa technical support web page.