Schneider Patches InduSoft Hole

Thursday, September 21, 2017 @ 05:09 PM gHale


Schneider Electric released a patch to mitigate a missing authentication for critical function vulnerability in its InduSoft Web Studio and InTouch Machine Edition, according to a report with ICS-CERT.

Successful exploitation of this remotely exploitable vulnerability, discovered by Aaron Portnoy, formerly of Exodus Intelligence, could allow an attacker to remotely execute arbitrary commands with high privileges.

RELATED STORIES
New Security Release for Ctek SkyRouter
Digium Asterisk GUI Migration Plan
Update for iniNet’s SCADA Webserver
Saia Burgess Fixes PCD Controllers

The vulnerability affects the following InduSoft Web Studio products:
• InduSoft Web Studio v8.0 SP2 or prior
• InTouch Machine Edition v8.0 SP2 or prior

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server.

CVE-2017-13997 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The products see use in the critical manufacturing, energy, healthcare and public health, water and wastewater systems sectors. They also see action on a global basis.

Paris, France-based Schneider Electric recommends users using InduSoft Web Studio v8.0 SP2 or prior should upgrade and apply InduSoft Web Studio v8.0 SP2 Patch 1 as soon as possible. This patch can be found on the Schneider Electric InduSoft web site.

Schneider Electric recommends users using InTouch Machine Edition v8.0 SP2 or prior should upgrade and apply InTouch Machine Edition v8.0 SP2 Patch 1 as soon as possible. This patch can be found on Schneider Electric’s Invensys web site (registration required).

For more information on this vulnerability and associated patch, see InduSoft Security Bulletin LFSEC00000121 on the Schneider Electric cybersecurity web site.



Leave a Reply

You must be logged in to post a comment.