SCADA File Parsing Vulnerability

Thursday, March 13, 2014 @ 05:03 PM gHale


Schneider Electric prepared workarounds and helped develop security upgrades for a third party component affected by the file parsing vulnerability in its StruxureWare SCADA Expert ClearSCADA, according to a report on ICS-CERT.

Researcher Andrew Brooks identified the vulnerability and reported it to The Zero Day Initiative (ZDI).

RELATED STORIES
Yokogawa Patches CENTUM CS 3000 Holes
Schneider OFS Buffer Overflow
Schneider Fixes Bug, Patches Others
Increase in NTP Reflection Attacks

The following SCADA Expert ClearSCADA versions suffer from the issue:
• ClearSCADA 2010 R2 (build 71.4165)
• ClearSCADA 2010 R2.1 (build 71.4325)
• ClearSCADA 2010 R3 (build 72.4560)
• ClearSCADA 2010 R3.1 (build 72.4644)
• SCADA Expert ClearSCADA 2013 R1 (build 73.4729)
• SCADA Expert ClearSCADA 2013 R1.1 (build 73.4832)
• SCADA Expert ClearSCADA 2013 R1.1a (build 73.4903)
• SCADA Expert ClearSCADA 2013 R1.2 (build 73.4955)
• SCADA Expert ClearSCADA 2013 R2 (build 74.5094)

Successful exploitation of this vulnerability can cause the process to crash, resulting in a denial of service.

Paris, France-based Schneider Electric maintains offices in 190 countries worldwide. SCADA Expert ClearSCADA sees use across several sectors including Commercial Facilities, Energy, and Water and Wastewater Systems.

An input project-file validation vulnerability is in the KepServerEX V4 component, present within the PLC Driver in versions of SCADA Expert ClearSCADA released prior to January 2014. Kepware confirmed this vulnerability is not present in KepServerEX V5.

The PLC Driver is an optional component that requires selection during installation. Most SCADA Expert ClearSCADA users may have installed this component inadvertently during a full installation.

The flawed PLC Driver is in the ServerMain.exe file, which is part of KepServerEX V4. This product contains several vulnerabilities that will cause the process to crash.

CVE-2014-0779 is the case number assigned to this vulnerability, which ZDI assessed a CVSS v2 base score of 6.8.

No known public exploits specifically target this vulnerability. An attacker with a moderate skill would be able to exploit this vulnerability.

Schneider Electric recommends customers using the vulnerable product versions to:
• Uninstall the Kepware driver in the vulnerable product versions and migrate to an external installation of KepServerEX V5.
• Guidance and assistance is available from Schneider Electric Technical Application Support



Leave a Reply

You must be logged in to post a comment.