7-Technologies IGSS < 18.104.22.16843 ODBC Invalid Structure RCE
Critical Nessus Plugin ID 89030
SynopsisThe remote host contains a SCADA application that is affected by a remote code execution vulnerability.
DescriptionThe 7-Technologies / Schneider-Electric Interactive Graphical SCADA System (IGSS) application installed on the remote Windows host is a version prior to 22.214.171.12443. It is, therefore, affected by a memory corruption issue in the ODBC service due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted structure in a packet sent to to TCP port 22202, to cause a stack-based buffer overflow, resulting in the execution arbitrary code with administrative privileges.
SolutionUpgrade to IGSS version 126.96.36.19943 or later.