Schneider Electric has new software that can mitigate an uncontrolled search path element in its Pro-face GP-Pro EX, according to a report with ICS-CERT.
GP Pro EX version 4.07.000, which is an HMI management platform, suffers from the issue, from which there are public exploits available.
Successful exploitation of this vulnerability, discovered by independent researcher, Karn Ganeshen, may allow arbitrary code execution.
This vulnerability is not remotely exploitable. High skill level is needed to leverage the vulnerability.
The product sees use mainly in the energy sector and on a global basis.
In the vulnerability, an attacker is able to force the process to load an arbitrary DLL and execute arbitrary code in the context of the process.
CVE-2017-9961 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.2.
Schneider Electric recommends users update to the latest software Version 4.07.100 or newer. This version of GP Pro EX software will resolve this vulnerability and is now available.
For more information about this vulnerability and patch, click on Schneider Electric Security Notification SEVD-2017-195-01.