Tuesday, October 17, 2017

ICS-CERT Publishes Progea Advisory

Today the DHS ICS-CERT published a control system security advisory for the Progea Movicon SCADA/HMI. It describes two vulnerabilities in the product. The vulnerabilities were reported by Karn Ganeshen. Progea has only provided a generic Microsoft workaround for DLL hijacking at this point. ICS-CERT does not report any further scheduled response.

The two reported vulnerabilities are:

• Uncontrolled search path element - CVE-2017-14017; and
• Unquoted search path or element - CVE-2017-14019

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to allow privilege escalation or arbitrary code execution.

No comments:

/* Use this with templates/template-twocol.html */