Schneider’s IGSS Mobile Fixed

Friday, February 16, 2018 @ 03:02 PM gHale

Schneider Electric has an update to mitigate an improper certificate validation and plaintext storage of a password vulnerabilities in its IGSS Mobile, according to a report with ICS-CERT.

Successful exploitation of these locally exploitable vulnerabilities, discovered by Alexander Bolshev (IOActive) and Ivan Yushkevich (Embedi), could allow an attacker to execute a man-in-the-middle attack. In addition, passwords can be accessed by unauthorized users.

RELATED STORIES
Schneider Clears StruxureOn Gateway Hole
Meltdown, Spectre Affects Pepperl+Fuchs HMIs
Schneider Updates IGSS SCADA Software
Wago Fixes PFC200 Series

The vulnerabilities affect the following IGSS Mobile products:
• IGSS Mobile for Android, version 3.01 and all versions prior
• IGSS Mobile for iOS, version 3.01 and all versions prior

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

In one vulnerability, the IGSS Mobile app lacks certificate pinning during the TLS/SSL connection establishing process. This issue could allow an attacker to execute a man-in-the-middle attack.
CVE-2017-9968 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.4.

In another issue, IGSS Mobile app passwords are stored in clear-text in the configuration file.

CVE-2017-9969 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.0.

The product sees use in the commercial facilities, critical manufacturing and energy sectors. It also sees action on a global basis.

An update for Android with the fix for these vulnerabilities is available for download on Google Play.

An update for iOS with the fix for these vulnerabilities is available on Apple Store.

For more information on these vulnerabilities and associated patch, see Schneider Electric’s security notification SEVD-2018-039-02.



Leave a Reply

You must be logged in to post a comment.