Trihedral Engineering Limited has a new version that will mitigate an improper access control and an uncontrolled search path element in its VTScada, according to a report with ICS-CERT.
An HMI and SCADA software product, VTScada 11.3.03 and prior suffer from the vulnerabilities, discovered by Karn Ganeshen and Mark Cross who independently discovered these vulnerabilities and reported them to ICS-CERT.
Successful exploitation of these vulnerabilities may allow execution of arbitrary code.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not remotely exploitable. However, an attacker with low skill level would be able to leverage the vulnerabilities.
In one vulnerability, a local, non-administrator user has privileges to read and write to the file system of the target machine.
CVE-2017-14031 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
In the uncontrolled search path element issue, the program will execute specially crafted malicious dll files placed on the target machine.
CVE-2017-14029 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
The product sees use in multiple sectors including the chemical, communications, critical manufacturing, energy, food and agriculture, transportation systems, and water and wastewater systems.
The product also sees action mainly in North America and Europe
Bedford, Nova Scotia, Canada-based Trihedral Engineering Limited recommends users of an affected version update to the latest version, 11.3.05.
Click here for help file notes for upgrading VTScada/VTS.