Schneider Fixes Wonderware Holes

Tuesday, August 26, 2014 @ 07:08 PM gHale

Schneider Electric created an update that mitigates four vulnerabilities in the Wonderware Information Server (WIS), according to a report on ICS-CERT.

Some of these vulnerabilities, discovered by Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov of the Positive Technologies Research Team, could end up exploited remotely.

CG Automation Fixes Improper Input Validation
Siemens Fixes SIMATIC S7-1500 CPU Hole
Siemens Updates OpenSSL Holes
SUBNET Hot Fix for Vulnerability

The following Schneider Electric WIS versions suffer from the issue:
• Wonderware Information Server 4.0 SP1 Portal,
• Wonderware Information Server 4.5 Portal,
• Wonderware Information Server 5.0 Portal, and
• Wonderware Information Server 5.5 Portal.

If these vulnerabilities end up exploited, they could allow remote code execution, information disclosure, or session credential high jacking.

Schneider Electric corporate headquarters is located in Paris, France, and maintains offices in more than 100 countries worldwide.

The affected products, WIS software, provides industrial information content including process graphics, trends, and reports on a single web page. WIS web clients allow access to real-time dashboards, predesigned reports of industrial activities, and provide analysis or write back capabilities to the process. WIS sees action across several sectors including chemical, commercial facilities, critical manufacturing, energy, food and agriculture, and water and wastewater systems. Schneider Electric said these products see use primarily in the United States and Europe with a small percentage in Asia.

Encryption of WIS is insufficient, so if an attacker decrypts the credentials, an elevation of privilege could result. An attacker would need to compromise the system for this attack to occur.

CVE-2014-2381 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 2.1.

In addition, CVE-2014-2380 is another case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

In addition, WIS fails to validate, filter, or encode user input before returning it to a user’s web client. CVE-2014-5397 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

WIS may allow access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause these products to send the contents of local remote resources to the attacker’s server or cause a denial of service of the system. This vulnerability is not exploitable remotely and cannot end up exploited without user interaction. The exploit only triggers when a local user runs the vulnerable application and loads the malformed XML files.

CVE-2014-5398 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

WIS is vulnerable to a SQL injection vulnerability by performing database operations unintended by the web application designer and, in some instances, can lead to compromise of the database server or lead to remote code execution.

CVE-2014-5399 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

No known public exploits specifically target these vulnerabilities. Crafting a working exploit for some of these vulnerabilities would be difficult. Social engineering would have to come into play to convince the user to accept the malformed XML file. Additional user interaction would need to load the malformed file. This decreases the likelihood of a successful exploit.

Schneider Electric created an update for WIS web pages and components to address the vulnerabilities. Customers using all versions of WIS should upgrade to WIS Version 5.5 and then apply the security update.

Customers using the affected versions of WIS should set the security level settings in the Internet browser to “Medium – High” to minimize the risks presented by these vulnerabilities. In addition, the Wonderware Information Server Portal can end up configured to use HTTPS that will require additional steps as documented in the products user documentation.

Leave a Reply

You must be logged in to post a comment.