The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) last week issued advisories warning of serious vulnerabilities in Schneider Electric SCADA gear.
Schneider Electric is a supplier of energy management control products that are used in a number of critical industries in North America, including energy, water and wastewater, food, agriculture, and transportation systems.
The company reported two vulnerabilities that could allow attackers to execute malicious code. Product upgrades have been developed by Schneider Electric that mitigate the vulnerabilities.
The first affects the Schneider Electric OPC Factory Server, which provides an interface for client applications that require access to production data in real time. Versions TLXCDSUOFS33 – V3.35, TLXCDSTOFS33 – V3.35, TLXCDLUOFS33 – V3.35, TLXCDLTOFS33 – V3.35, and TLXCDLFOFS33 – V3.35 contain a buffer overflow vulnerability when a malicious configuration file is sampled, the ICS-CERT advisory said.
“When a malformed configuration file is parsed by the demonstration client, it may cause a buffer overflow allowing the configuration file to start malicious programs or execute code on the PC,” the advisory said.
The vulnerability is not remotely exploitable, keeping its severity score down.
“The exploit is only triggered when the demonstration client opens a specially modified sample client configuration file to execute malicious programs or execute code on the PC,” the advisory said.
The second vulnerability, an unquoted service path vulnerability, was found in the Schneider Electric Floating License Manager; it too cannot be exploited remotely, the ICS-CERT advisory said. Versions V1.0.0 through V1.4.0 which is used in five products from the company: Power Monitoring Expert; Struxurware process Expert; Struxureware process Expert libraries; Vijeo Citect (SCADA); and Vijeo Citect Historian.
“This vulnerability could allow attackers to start malicious programs as Windows services,” the advisory said. “When the executable path of a service contains blanks, attackers can exploit this to execute malicious programs.”
The advisory said the exploit is triggered only when a local user runs the vulnerable application and the path contains blanks; to mitigate, service paths in the registry must be surrounded with quotes, ICS-CERT said.
Schneider Electric products using the vulnerable license manager are automatically updated via the company’s update system.