Schneider Updates Controller Fix

Friday, April 14, 2017 @ 10:04 AM gHale


Schneider Electric updated a firmware fix to mitigate cross-site scripting and command injection vulnerabilities in its homeLYnk Controller, LSS100100, according to a report with ICS-CERT.

The remotely exploitable vulnerabilities, discovered by Mohammed Shameem, affects homeLYnk Controller, LSS100100, all versions prior to V1.5.0.

RELATED STORIES
‘BrickerBot’ Permanent DoS Attack
Cisco Finds Moxa Vulnerabilities
Schneider Limits Modicon Holes
Certec EDV Clears Scada Holes

An attacker may be able to exploit the vulnerabilities to cause execution of java script code.

The homeLYnk controller is susceptible to a cross-site scripting attack. User inputs can end up manipulated to cause execution of java script code.

CVE-2017-5157 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

In addition, in the command injection vulnerability, the homeLYnk controller has network features that can be manipulated via specially crafted POST requests. This vulnerability requires user interaction to be exploited.

CVE-2017-7689 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

No known public exploits specifically target this vulnerability. However, an attacker will a low skill level could exploit the vulnerability. This product sees use mainly in the commercial facilities sector.

Schneider Electric has made firmware that fixes these vulnerabilities available for download.

For more information on these vulnerabilities and more detailed mitigation instructions, see Schneider Electric security notification SEVD-2017-011-01.

Click here to view security notification SEVD-2017-052-02.



Leave a Reply

You must be logged in to post a comment.