Unitronics Fixes VisiLogic Holes
Friday, November 13, 2015 @ 04:11 PM gHale
Unitronics created an updated package to mitigate the vulnerabilities in its VisiLogic OPLC IDE, according to a report on ICS-CERT.
These vulnerabilities, which HP’s Zero Day Initiative (ZDI) reported that Steven Seeley of Source Incite, Fritz Sands of ZDI, and Andrea Micalizzi discovered, are remotely exploitable.
Unitronics VisiLogic OPLC IDE Version 9.8.0.00 and previous suffer from the issue.
A successful exploit of these vulnerabilities could lead to remote code execution.
Unitronics has offices in the United States and Israel and sells products through partners worldwide.
Unitronics VisiLogic OPLC IDE is an HMI and PLC application programming environment for Vision and SAMBA series controllers. Unitronics officials said these products see use worldwide in multiple sectors.
Several instances exist where ActiveX control should end up restricted, but remain marked as safe-for-scripting.
CVE-2015-6478 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
There are several instances where an external input can change the behavior of the target application.
CVE-2015-7905 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
No known public exploits specifically target these vulnerabilities. An attacker with a medium skill would be able to exploit these vulnerabilities.
Unitronics released an updated package, VisiLogic V9.8.02, to address these vulnerabilities. Click here for the new package.