Energy management company
Schneider Electric has released a patch to address a serious
vulnerability affecting Pelco DS-NVs, a video management software used
worldwide in the commercial facilities industry and other sectors.
Security researchers Ariele Caltabiano
and Andrea Micalizzi discovered that the product is plagued by a high
severity buffer overflow vulnerability that can be exploited by a remote
attacker for arbitrary code execution. The experts reported their
findings to Schneider Electric through HP’s Zero Day Initiative (ZDI),
the Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) said in an advisory.
The flaw, which exists in a DLL file used by the product, has been assigned the CVE-2015-0982 identifier and a CVSS base score of 7.5.
The bug affects Pelco DS-NVs version
7.6.32 and earlier, and it can be exploited even by an attacker with low
skill. Schneider Electric has released version 7.8.90 of the product to
resolve the vulnerability.
“Schneider Electric would like to thank
Ariele Caltabiano (kimiya) and Andrea Micalizzi (rgod) working with HP’s
Zero Day Initiative for their discovery and cooperation during this
vulnerability disclosure process,” Schneider wrote in its own advisory.
ICS-CERT says it’s unaware of public exploits specifically targeting this vulnerability.
This isn’t the first patch released by
Schneider Electric this year. In January, the company released software
updates to address vulnerabilities in Wonderware InTouch Access Anywhere
Server. Last month, the energy giant fixed vulnerabilities affecting
Invensys SRD Control Valve Positioners, InduSoft Web Studio, and the the
InTouch Machine Edition 2014 product line.
No comments:
Post a Comment