PcVue Works to Patch Vulnerabilities

Friday, December 9, 2011 @ 05:12 PM gHale

There are four vulnerabilities in ARC Informatique’s PcVue application, including potential to write memory; possible file corruption; remote code execution, and denial of service.

Independent researcher Kuang-Chun Hung of Security Research and Service Institute Information and Communication Security Technology Center (ICST) privately identified a buffer overflow vulnerability in ARC Informatique’s PcVue application, according to ICS-CERT.

New Release for Vulnerable SCADA
Hike in Public Release of SCADA Holes
Siemens Investigating Vulnerabilities
Schneider Vulnerabilities Released

Independent researcher Luigi Auriemma publicly disclosed four vulnerabilities along with proof-of-concept (PoC) exploit code, including the vulnerability privately disclosed by ICST, without coordination with ARC Informatique, ICS-CERT, or any other coordinating entity known to ICS-CERT.

ARC Informatique confirmed these vulnerabilities and released a patch to address the issue. Researcher Kuang-Chun Hung tested the patch and validated it resolves these vulnerabilities.

ARC Informatique said the following products suffer from the holes:
• PcVue — All versions from 6.xx onward
• FrontVue — All versions
• PlantVue — All versions.

Successful exploitation of these vulnerabilities could result in denial of service, write to memory, file corruption, or remote code execution.

ARC Informatique is a French-based company that develops human-machine interface/supervisory control and data acquisition (HMI/SCADA) software used to interface with control systems.

According to ARC Informatique, PcVue works across several sectors including manufacturing, building automation, chemical, banking and finance, electric utilities, and others. ARC Informatique estimates these products see use primarily in Europe but also see use in the U.S. and around the world.

ARC Informatique released a patch to address these vulnerabilities. Users of vulnerable versions of ARC Informatique’s PcVue should deploy the patch.

Leave a Reply

You must be logged in to post a comment.