Network Vision Fixes Code Injection Hole

Friday, February 27, 2015 @ 05:02 PM gHale

Network Vision created a new version that mitigates a code injection vulnerability in its IntraVue software, according to a report on ICS-CERT.

IntraVue, all Windows versions prior to Version 2.3.0a14 suffers from the remotely exploitable vulnerability, discovered by Researcher Jürgen Bilberger from Daimler TSS GmbH.

Schneider Fixes Buffer Overflow
Kepware Fixes Vulnerability
Software Toolbox Mitigates Vulnerability
Siemens Fixes STEP 7 TIA Portal Holes

Successful exploitation of this vulnerability could allow an unauthenticated user to execute arbitrary operating system commands that could impact the confidentiality, integrity, and availability of an affected server.

Newburyport, MA-based Network Vision’s affected product, IntraVue, is a software package for network visualization. IntraVue sees action across several sectors including critical manufacturing, transportation systems, and water and wastewater systems. Network Vision estimates these products see use globally with a significant portion in North America and Europe.

The vulnerability can end up exploited by unauthenticated users to execute arbitrary operating system commands on an affected server system.

CVE-2015-0977 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

Network Vision released a new version of the IntraVues software that mitigates the code injection vulnerability. Users should install the new version as soon as they can, the company said. Users who have software support contracts with Network Vision can upgrade to the newest version at no cost. For more information, call Network Vision at U.S.: (877) 499-8100 or (978) 499-7800, or email them for more information.

Leave a Reply

You must be logged in to post a comment.