Schneider Patches InduSoft, InTouch Holes

Monday, March 30, 2015 @ 09:03 AM gHale


Schneider Electric released patches that mitigate vulnerabilities in the InduSoft Web Studio and InTouch Machine Edition 2014, according to a report on ICS-CERT.

Public exploits that target these vulnerabilities, discovered by Gleb Gritsai, Ilya Karpov, and Kirill Nesterov of Positive Technologies Security Lab and independent researcher Alisa Esage Shevcheckno, may exist.

RELATED STORIES
GE, MACTek Update DTM Fix
Rockwell Fixes FactoryTalk Holes
Johnson Controls Fixes Metasys Holes
Honeywell Updates Web Controller Hole

The following Schneider Electric products suffer from the vulnerabilities:
• InduSoft Web Studio, Version 7.1.3.2 and all previous versions
• InTouch Machine Edition 2014, version 7.1.3.2 and all previous versions

An attacker who exploits these vulnerabilities may be able to execute arbitrary code.

Schneider Electric’s corporate headquarters is in Paris, France, and the company maintains offices in more than 100 countries worldwide.

The affected products, Schneider Electric Wonderware InTouch Machine Edition and Schneider Electric InduSoft Web Studio, are embedded HMI software packages. These products see use in energy management operations in the commercial facilities, energy, food and agriculture, and information technology sectors globally.

Sensitive information ends up stored in Project Files and Project Configuration Files. This information gets its protection via a hard-coded, clear text password.

CVE-2015-0996 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.

In addition, when connecting to server from HMI, available user names are available on the screen allowing for potential brute force attacks.

CVE-2015-0997 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 3.3.

Also, user credentials end up sent in clear text allowing for malicious actors to access the control system.

CVE-2015-0998 is the case number been assigned to this vulnerability, which has a CVSS v2 base score of 3.3.

In addition, OPC User Credentials end up stored in a configuration file in cleartext.

CVE-2015-0999 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.2.

These vulnerabilities could end up exploited from an adjacent network. Public exploits that target these vulnerabilities may exist. An attacker with a low skill would be able to exploit these vulnerabilities.

Schneider Electric has two divisions supporting this product under separate organizations. Patch availability and technical information is available at these separate divisional support units. Schneider Electric issued separate security notices for each specific division/product support center.

One is SEVD-2015-054-01 – InduSoft Web Studio; Schneider Electric released patches, available for download, to remediate the vulnerabilities.

The patch for InduSoft Web Studio, Version 7.1.3.4, Service Pack 3, Patch 4, is available for download.

The other is SEVD-2015-054-02 – InTouch Machine Edition 2014; this document should help provide an overview of the identified vulnerability and actions required to mitigate it. To obtain full details on the issues and assistance on how to protect your installation, please contact your local Schneider Electric representative. These organizations will be fully aware of the situation and can support you through the process.

Wonderware Security Bulletin LFSEC00000108 – InTouch Machine Edition Security Vulnerability

This document will provide an overview of the identified vulnerability and actions required to mitigate it. To obtain full details on the issues and assistance on how to protect your installation, please contact a Wonderware Global Custom Support representative. These organizations will be fully aware of the situation and can support you through the process.

For further information on vulnerabilities in Wonderware’s products, please visit Global Customer Support’s Security Central web page.

For further information on vulnerabilities in Schneider Electric’s products, visit Schneider Electric’s cybersecurity web page.



Leave a Reply

You must be logged in to post a comment.