SB2014022802 - Input validation error in Floating License Manager

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2014-0759)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Unquoted Windows search path vulnerability in Schneider Electric Floating License Manager 1.0.0 through 1.4.0 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character. Per: http://cwe.mitre.org/data/definitions/428.html "CWE-428: Unquoted Search Path or Element" Per: http://ics-cert.us-cert.gov/advisories/ICSA-14-058-01 "This license manager is used in the following Schneider Electric products: Power Monitoring Expert, Struxureware process Expert (PES), Struxureware process Expert libraries, Vijeo Citect (SCADA), and Vijeo Citect Historian."

Remediation

Install update from vendor's website.

References

• http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-015-01
• http://ics-cert.us-cert.gov/advisories/ICSA-14-058-01