Schneider Electric created an update version that mitigates command injection vulnerabilities in its ProClima software package, according to a report on ICS-CERT.
The report on the remotely exploitable vulnerabilities came to ICS-CERT from HP’s Zero Day Initiative (ZDI) researchers Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc.
ProClima Version 6.0.1 and previous suffer from the issue.
Successfully exploiting these vulnerabilities could allow a remote attacker to execute arbitrary code.
Schneider Electric’s corporate headquarters is located in Paris, France, and the company maintains offices in more than 100 countries worldwide.
The affected product, ProClima, is a configuration utility used to design control panel enclosures to accommodate the thermal load from the electrical/electronic devices inside and from the environment. ProClima sees use across several sectors including critical manufacturing, commercial facilities, and energy. Schneider Electric estimates these products see action primarily in the United States and Europe with a small percentage in Asia.
MDraw30.ocx control can end up initialized and called by malicious scripts potentially causing buffer overflows, which may allow an attacker to execute code remotely.
CVE-2014-8513, CVE-2014-8514, and CVE-2014-9188 are the case numbers assigned to these vulnerabilities, which have a CVSS v2 base score of 10.0.
Atx45.ocx control end up initialized and called by malicious scripts potentially causing a buffer overflow, which may allow an attacker to execute code remotely.
CVE-2014-8511 and CVE-2014-8512 are the case numbers assigned to these vulnerabilities, which have a CVSS v2 base score of 10.0.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Schneider Electric released an updated version of the ProClima software, Version 6.1.7, which mitigates these vulnerabilities. Customers should download the new version and update their installations. It is important that customers first uninstall the current version. They can then download the new version from Schneider Electric’s web site.
For further information on these vulnerabilities, click on Schneider Electric’s security notification (SEVD 2014-344-01).