Schneider Updates PowerSCADA Anywhere, Citect Anywhere

Thursday, July 20, 2017 @ 02:07 PM gHale


Schneider Electric upgraded its software to mitigate multiple vulnerabilities in its PowerSCADA Anywhere and Citect Anywhere products, according to a report with ICS-CERT.

The remotely exploitable vulnerabilities, which Schneider Electric self-reported, include information exposure, cross-site request forgery (CSRF), improper neutralization of expression and improper validation of certificate expiration issues.

RELATED STORIES
Rockwell Fixes MicroLogix Controller
Siemens Updates SIPROTEC 4, SIPROTEC Compact
GE Releases New Version of Communicator
Siemens Clears SIMATIC Sm@rtClient Android App

The vulnerabilities affect the following versions of PowerSCADA Anywhere and Citect Anywhere mobile extensions:
• Version 1.0 of PowerSCADA Anywhere redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2
• Citect Anywhere version 1.0

Successful exploitation of these vulnerabilities could allow an attacker to perform actions on behalf of a legitimate user, perform network reconnaissance, or gain access to resources beyond those intended with normal operation of the product.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level would be able to leverage the vulnerabilities.

In one vulnerability, the secure gateway component of the affected products is vulnerable to CSRF for multiple state-changing requests. This type of attack requires some level of social engineering to get a legitimate user to click on or access a malicious link/site containing the CSRF attack.

CVE-2017-7969 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

In addition, an attacker on an adjacent network may be able to specify arbitrary server target nodes in connection requests to the secure gateway and server components.

CVE-2017-7970 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

Also, the affected products use outdated cipher suites and improperly verify peer SSL certificates.

CVE-2017-7971 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

In addition, an attacker on an adjacent network may be able to escape out of remote applications and launch other processes.

CVE-2017-7972 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.5.

The products mainly see use in the commercial facilities sector. They do see action on a global basis.

Schneider Electric recommends users upgrade their systems as soon as possible. The following provides links to instructions for addressing software at potential risk:
• PowerSCADA Anywhere Version 1 used with PowerSCADA Expert v8.2 and PowerSCADA Expert v8.1: Uninstall PowerSCADA Anywhere (from Add/Remove Programs). Then install PowerSCADA Anywhere Version 1.1.
Citect Anywhere version 1.1

In addition to installing the provided security patch, Schneider Electric recommends the following steps to further harden the system:
• Configure the HTTP origin header whitelist to match the environment’s URL(s) used for accessing the secure gateway. This address may be one or more of the IP, machine name, or domain name where the secure gateway is hosted. The address may also be that of a load balancer or proxy, if the secure gateway is deployed that way.
• Configure the secure gateway’s whitelists to restrict access to expected client IPs, as well as to restrict access from the secure gateway to only expected internal server hosts. For an additional defense-in-depth layer, users can further use the Windows OS-level firewall (or zone firewalls) to restrict communication among only the expected nodes.
• If using self-signed certificates, configure the secure gateway machine to trust the server certificate.
• Depending on the organization’s requirements, users can further configure the secure gateway to restrict the usable TLS protocols. For an additional defense-in-depth layer, TLS protocols and cipher suites can also be restricted at the operating system level through the use of third party tools such as IISCrypto.
• Create unique user accounts with minimal privileges dedicated to accessing applications remotely. OS group policy objects can be used to further restrict what those unique user accounts are allowed to do. Click here for an example configuration that disables task manager from being launched in a remote app connection.

For more information about the vulnerabilities and patch in PowerSCADA Anywhere, refer to Schneider Electric Security Notification – PowerSCADA Anywhere SEVD-2017-173-01.

For more information about the vulnerabilities and patch in Citect Anywhere, refer to Schneider Electric Security Notification – Citect Anywhere.



Leave a Reply

You must be logged in to post a comment.