Schneider Electric released an update to mitigate an incorrect default permissions vulnerability in its Wonderware InduSoft Web Studio, according to a report with ICS-CERT.
Wonderware InduSoft Web Studio v8.0 Patch 3 and prior versions suffers from the issue, discovered by Karn Ganeshen.
Successful exploitation of this vulnerability could allow an authenticated user to escalate his or her privileges.
No known public exploits specifically target this vulnerability. This vulnerability is not remotely exploitable. However, it would take an attacker with low skill level to leverage the vulnerability.
In the vulnerability, upon installation, Wonderware InduSoft Web Studio creates a new directory and two files, which are placed in the system’s path and can end up manipulated by non-administrators. This could allow an authenticated user to escalate his or her privileges.
CVE-2017-7968 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
The product sees use in in the critical manufacturing, energy, healthcare and public health, and water and wastewater systems sectors. It sees action on a global basis.
Paris, France-based Schneider Electric released Wonderware InduSoft Web Studio v8.0 + Service Pack 1 to address this vulnerability.
For more information, users of affected products can read Schneider Electric’s Security Notification.