1. EXECUTIVE SUMMARY
- CVSS v3 5.3
- ATTENTION: Low attack complexity
- Vendor: General Electric
- Equipment: MiCOM S1 Agile
- Vulnerability: Uncontrolled Search Path Element
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to upload malicious files and achieve code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of General Electric MiCOM S1 Agile is affected:
- MiCOM S1 Agile: All versions
3.2 Vulnerability Overview
3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
General Electric MiCOM S1 Agile is vulnerable to an attacker achieving code execution by placing malicious DLL files in the directory of the application.
CVE-2023-0898 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Sushant Mane, Anooja Joy & Dr. Faruk Kazi from CoE-CNDS Lab, VJTI, Mumbai, India reported this vulnerability to CISA.
4. MITIGATIONS
General Electric has released an update that resolves this vulnerability. No action is required by the customer.
For more information, see General Electric’s Security Advisory.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive me
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: