SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-635119601] Progea Movicon SCADA/HMI

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-10-17OtherProgeaKarn Ganeshen reported these vulnerabilities to ICS-CERT. N/ACVE-2017-1401 CVE-2017-1401 N/AN/AN/A

Source

						
							
								
#
# Progea Movicon SCADA/HMI
#


### VULNERABLE VENDOR
Progea


### VULNERABLE PRODUCT
Movicon SCADA/HMI



### RESEARCHER
Karn Ganeshen reported these vulnerabilities to ICS-CERT.



### AFFECTED PRODUCTS

The following versions of Movicon HMI, an HMI software platform, are affected:

Movicon Version 11.5.1181 and prior.



### IMPACT

Successful exploitation of these vulnerabilities could allow privilege escalation or arbitrary code execution.



### VULNERABILITY OVERVIEW

UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element vulnerability has been identified, which may allow a remote attacker without privileges to execute arbitrary code in the form of a malicious DLL file.
CVE-2017-14017 has been assigned to this vulnerability.
A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)


UNQUOTED SEARCH PATH OR ELEMENT CWE-428
An unquoted search path or element vulnerability has been identified, which may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate his or her privileges.
CVE-2017-14019 has been assigned to this vulnerability.
A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)





### BACKGROUND

Critical Infrastructure Sectors: Critical Manufacturing, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems
Countries/Areas Deployed: Europe, India, and United States
Company Headquarters Location: Italy




### MITIGATION

Progea has not provided an update to address these vulnerabilities. However, Progea has issued a knowledge base article about DLL Hijacking, which can be found at the following location:

http://www.movicon.info/Support/MoviconKB/WebHelp/Knowledgebase/kb000035.htm