Schneider Electric created new software to mitigate an unrestricted upload of file with dangerous type vulnerability in its StruxureOn Gateway, according to a report with ICS-CERT.
A software management platform, the vulnerability affects the StruxureOn Gateway, all versions prior to 1.2.
Successful exploitation of this remotely exploitable vulnerability discovered by Schneider Electric could allow a remote attacker to upload a malicious file to any directory on the device, which could lead to remote code execution.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability
In the vulnerability, uploading a zip file with modified metadata may allow remote code execution.
CVE-2017-9970 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.2.
The product sees use mainly in the critical manufacturing and energy sectors. It also sees action on a global basis.
Schneider Electric released a new version of the software.
For more information on these vulnerabilities and associated patch, see Schneider Electric’s security notification SEVD-2018-039-01.
Schneider Electric said in addition to upgrading to version 1.2, users should ensure they change the default passwords as this vulnerability requires authenticated access.