Schneider Fixes Buffer Overflow

Wednesday, February 25, 2015 @ 03:02 PM gHale

Schneider Electric created a new version that mitigates a buffer overflow vulnerability in the DTM (Device Type Manager) software for its Invensys SRD Control Valve Positioner product line, according to a report on ICS-CERT.

DTM Version 3.1.6 and all previous versions used with SRD 960 and SRD 991 Control Valve Positioners suffer from the issue, discovered by Ivan Sanchez from Nullcode Team.

Kepware Fixes Vulnerability
Software Toolbox Mitigates Vulnerability
Siemens Fixes STEP 7 TIA Portal Holes
Yokogawa HART Device DTM Hole

An attacker who exploits this vulnerability may be able to execute arbitrary code.

Paris, France-based Schneider Electric maintains offices in over 100 countries worldwide.

The affected products, SRD 960 and SRD 991 Control Valve Positioners, operate pneumatic valve actuators. These products deploy across several sectors including critical manufacturing, energy, water and wastewater systems, and others. Schneider Electric estimates these products see use globally.

The vulnerability identified includes a stack buffer overflow condition in a DLL file that could possibly result in remote code execution.

CVE-2014-9206 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.2.

This vulnerability is not exploitable remotely and cannot end up exploited without user interaction. The exploit only triggers when a local user runs the vulnerable application and loads the malformed DLL file.

No known public exploits specifically target this vulnerability.

Crafting a working exploit for this vulnerability would be difficult. Social engineering is mandatory to convince the user to accept the malformed DLL file. Additional user interaction would end up required to load the malformed file. That required action decreases the likelihood of a successful exploit.

Schneider Electric encourages customers using these products to download the latest version, V3.6.3, that mitigates this vulnerability. Click here and go to the bottom of the web site.

Schneider Electric’s security notice SEVD-2015-050-01 is also available.

Leave a Reply

You must be logged in to post a comment.