Schneider Clears InduSoft, InTouch Hole

Friday, November 10, 2017 @ 10:11 AM gHale


Schneider Electric released a mitigation plan for its InduSoft Web Studio and InTouch Machine Edition to address a stack-based buffer overflow, according to a report with ICS-CERT.

Successful exploitation of this vulnerability, discovered by Aaron Portnoy, formerly of Exodus Intelligence, could allow a remote un-authenticated attacker to remotely execute code with high privileges.

RELATED STORIES
Advantech Fixes WebAccess Holes
Siemens Fixes SIMATIC PCS 7 Issue
No Fixes for Outdated ABB FOX515T
New Version Clears Trihedral Holes

The following versions of InduSoft Web Studio and InTouch Machine Edition, an HMI, suffer from the remotely exploitable issue:
• InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions
• InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions

An attacker with low skill level could leverage the vulnerability. In addition, public exploits are available.

The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges.

CVE-2017-14024 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The product sees use mainly in the commercial facilities, critical manufacturing, energy, transportation systems, and water and wastewater sectors. It also sees action on a global basis.

Schneider Electric recommends:
• Users using InduSoft Web Studio v8.0 SP2 Patch 1 or prior versions are affected and should upgrade and apply InduSoft Web Studio v8.1 as soon as possible.
• Users using InTouch Machine Edition v8.0 SP2 Patch 1 or prior versions are affected and should upgrade and apply InTouch Machine Edition 2017 v8.1 as soon as possible.

Schneider Electric released Security Bulletin LFSEC00000124.



Leave a Reply

You must be logged in to post a comment.