Schneider Mitigates VAMPSET Hole

Friday, April 3, 2015 @ 10:04 AM gHale


Schneider Electric published a security notification that tells how to mitigate a buffer overflow vulnerability in its VAMPSET software product, according to a report on ICS-CERT.

Ricardo Narvaja and Joaquín Rodríguez of Core Security reported this vulnerability directly to Schneider Electric.

RELATED STORIES
Ecava Patches IntegraXor DLL Holes
Schneider Patches InduSoft, InTouch Holes
GE, MACTek Update DTM Fix
Rockwell Fixes FactoryTalk Holes

VAMPSET software, V2.2.145 and all previous versions suffer from the issue.

An attacker who exploits this vulnerability may be able to execute arbitrary code.

Schneider Electric’s corporate headquarters is located in Paris, France, and it maintains offices in more than 100 countries worldwide.

The affected product, VAMPSET software, ends up used to configure and maintain multiple protection relays and arc monitoring units. This product sees action in the energy sector. Schneider Electric estimates this product sees use on all continents and in 60 countries world-wide.

VAMPSET is vulnerable to a stack-based and heap-based buffer overflow attack, which can end up exploited by attackers to execute arbitrary code by providing a malicious CFG or DAT file with specific parameters. These malformed or corrupted disturbance recording files cause VAMPSET to crash when opened in a stand-alone state, without connection to a protection relay. This vulnerability has no effect on the Windows Operating System.

CVE-2014-8390 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.6.

This vulnerability is not exploitable remotely and cannot end up exploited without user interaction. The exploit only triggers when a local user runs the vulnerable application and loads the malformed disturbance recording file.

No known public exploits specifically target this vulnerability.

Crafting a working exploit for this vulnerability would be difficult. Social engineering is a requirement to convince the user to accept the malformed disturbance recording file. Additional user interaction would be mandatory to load the malformed file, which decreases the likelihood of a successful exploit.

To protect the computer and configuration files from unauthorized escalation of privileges through manipulation, Schneider Electric recommends users employ best IT practices to secure their computers and relay configuration files.

Use of User Access Control (UAC) can further improve the security of the computer. To minimize the risk of attack, users who are not directly using this software on a regular basis should delete this application from their computer to reduce the likelihood of attack and to store relay configuration files in a protected location.

Schneider Electric has updated the VAMPSET tool in order to recognize malformed disturbance recorder files. It now checks the length of the text string in the Comtrade file in order to recognize them as being acceptable. This means the station name and device identification must be the proper length. If these conditions are available, the software will block opening the file, remain operational, and report to the user the file is not complete or contains wrong data.

For more information about this issue, see Schneider Electric security notification SEVD-2015-084-01.



Leave a Reply

You must be logged in to post a comment.