Moxa produced a patch to mitigate denial-of-service (DoS) and unquoted service path privilege escalation vulnerabilities in its DACenter application, according to a report with ICS-CERT.
Independent researcher Zhou Yu, who discovered the vulnerabilities, tested the patch to validate it resolves the remotely exploitable vulnerabilities.
DACenter versions 1.4 and older suffer from the issues.
The vulnerabilities may render the DACenter application unavailable and also allow an authorized but nonprivileged local user to execute arbitrary code with privileges on the system.
Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil.
The affected product, DACenter, provides a standard OPC interface that interacts with Moxa Active OPC Server for real-time data collection.
DACenter sees action across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems. Moxa said this product sees use primarily in the United States and Europe with a small percentage in Asia.
A specially crafted project file may cause the program to crash.
CVE-2016-9354 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.5.
In addition, the application may suffer from an unquoted search path issue.
CVE-2016-9356 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Moxa recommends replacing existing DACenter installations with the new software MX-AOPC UA suite. DACenter is nearing end-of-life by the end of 2016, and no further updates will end up issued.
For existing DACenter installations, Moxa recommends contacting its Technical Support team or visiting the technical support web page.