There are a number of critical, remotely exploitable command injection vulnerabilities in Schneider Electric’s ProClima software, which is used in manufacturing and energy facilities.
The ProClima application is a utility that customers use to design control panel enclosures in industrial facilities to help manage the heat from enclosed electrical devices. The bugs affect ProClima versions 6.0.1 and earlier, according to an advisory released by ICS-CERT. The flaws exists in two separate components of the ProClia software, MDraw30.ocx and Atx45.ocx.
“MDraw30.ocx control can be initialized and called by malicious scripts potentially causing buffer overflows, which may allow an attacker to execute code remotely,” the advisory says.
The same scenario is true for the vulnerabilities in Atx45.ocx. All of the vulnerabilities can be exploited remotely, and ICS-CERT said that an attacker with relatively low skills would be able to exploit the bugs. There aren’t any known exploits for the vulnerabilities at this point, however.
The vendor has pushed out a new version of the ProClima package that contains fixes for the vulnerabilities.
“Schneider Electric has released an updated version of the ProClima software, Version 6.1.7, which mitigates these vulnerabilities. Customers are encouraged to download the new version and update their installations. It is important that customers first uninstall the current version,” the ICS-CERT advisory says.
The vulnerabilities were reported to Schneider Electric by Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc through the Zero Day Initiative.