Schneider Fixes Password Storage Hole

Friday, July 31, 2015 @ 05:07 PM gHale

Schneider Electric released patches to mitigate vulnerability of storing sensitive information in clear text in the InduSoft Web Studio and InTouch Machine Edition 2014 products, according to a report on ICS-CERT.

Gleb Gritsai, Alisa Esage Shevchenko, Ilya Karpov, and the team from Positive Technologies Security discovered the vulnerability.

Home Automation System Holes Fixed
Chrysler Updates 1.4 Million Vehicles
Fiat Fixes Auto Remote Exploit
Siemens Fixes SIPROTEC DoS Vulnerability

The following Schneider Electric products suffer from the issue:
• InduSoft Web Studio, Version and all previous versions.
• InTouch Machine Edition 2014, Version 7.1 Service Pack 3, Patch 4 and all previous versions.

An attacker who exploits this vulnerability may be able to execute arbitrary code.

Schneider Electric’s corporate headquarters is in Paris, France, and the company maintains offices in more than 100 countries worldwide.

The affected products, Schneider Electric Wonderware InTouch Machine Edition and Schneider Electric InduSoft Web Studio, are embedded HMI software packages. These products see use in energy management operations in the commercial facilities, energy, food and agriculture, and information technology sectors globally.

As it turns out, passwords for project windows end up stored in a configuration file in clear text.

CVE-2015-1009 is the case number assigned to this vulnerability, which Positive Technologies Security gave a CVSS v2 base score of 6.4.

This vulnerability is not exploitable remotely and no known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.

Schneider Electric has two divisions supporting this product under separate organizations. Patch availability and technical information are available at these separate divisional support units. Schneider Electric issued separate security notices for each specific division/product support center.

SEVD-2015-100-01 – InduSoft Web Studio
Schneider Electric released patches, available for download, to remediate the noted vulnerabilities.

Click here for the patch for InduSoft Web Studio, Version, Patch 5.

Click here for any additional information on vulnerabilities in Schneider Electric’s products.

Wonderware Security Bulletin LFSEC00000110 — InTouch Machine Edition Security Vulnerability
This document will provide an overview of the identified vulnerability and the actions required to mitigate it. To obtain full details on the issues and assistance on how to protect your installation, contact your Wonderware Global Custom Support representative. This organization is fully aware of this situation and can provide support through the process.

Click here for the Global Customer Support’s Security Central web site.

Click here for the Wonderware Security Bulletin.