1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low Attack Complexity
- Vendor: Schneider Electric
- Equipment: Vijeo Designer
- Vulnerability: Improper Privilege Management
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause a non-admin authenticated user to perform privilege escalation by tampering with the binaries.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
- Schneider Electric Vijeo Designer: All versions prior to 6.3 SP1
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269
Improper Privilege Management vulnerabilities exist that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation if non-admin authenticated users try to perform privilege escalation by tampering with the binaries.
CVE-2024-8306 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Schneider Electric CPCERT reported this vulnerability to CISA.
CVE-2024-8306:
Charit Misra of Applied Risk(DNV Cyber) reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric has identified the following specific workarounds and mitigations users ca
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: