1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low attack complexity
- Vendor: Subnet Solutions Inc.
- Equipment: PowerSYSTEM Center
- Vulnerability: Unquoted Search Path or Element
2. RISK EVALUATION
Successful exploitation of this vulnerability could result in an attacker achieving arbitrary code execution and privilege escalation through the unquoted service path.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of PowerSYSTEM Center, a multi-function management platform, are affected:
- PowerSYSTEM Center: 2020 v5.0.x through 5.16.x
3.2 Vulnerability Overview
3.2.1 UNQUOTED SEARCH PATH OR ELEMENT CWE-428
Subnet Solutions PowerSYSTEM Center versions 2020 v5.0.x through 5.16.x contain a vulnerability that could allow an authorized local user to insert arbitrary code into the unquoted service path and escalate privileges.
CVE-2023-6631 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Canada
3.4 RESEARCHER
Kelly Stich of Subnet Solutions Inc. reported this vulnerability to CISA.
4. MITIGATIONS
Subnet Solutions recommends users upgrade to PowerSYSTEM Center versions 2020 Update 17 or later. To obtain this software, contact Subnet Solution’s Customer Service.
Additionally, Subnet Solutions recommends users apply Application Allowl
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: