Schneider Electric, a leading provider of industrial control systems, recently patched a remotely exploitable vulnerability in a driver found in 11 of its products.
The Industrial Control Systems Computer Emergency Response Team (ICS-CERT) released an advisory yesterday alerting users to the availability of a patch and warning of the consequences associated with the stack-based buffer overflow vulnerability found in Schneider’s Serial Modbus Driver, ModbusDrv.exe.
The driver is started when a programmable logic controller is connected to the serial port on a server. It creates a listener on TCP port 27700, and when a connection is made the Modbus Application Header is read into a buffer, the ICS-CERT advisory said.
If the header is too large, a stack-based overflow results. The advisory cautions that a second overflow vulnerability is also exploitable by overwriting the return address. By doing so, an attacker could execute code remotely.
The vulnerable software driver is used across a gamut of industries, including chemicals, manufacturing, energy, nuclear reactors, government facilities, dams and transportation systems, primarily in the United States, Europe and China.
ICS-CERT said it is not aware of any public exploits. The patch is available from Schneider Electric.
ICS-CERT said the following Schneider products contain the vulnerable Modbus driver:
- TwidoSuite Versions 2.31.04 and earlier,
- PowerSuite Versions 2.6 and earlier,
- SoMove Versions 1.7 and earlier,
- SoMachine Versions 2.0, 3.0, 3.1, and 3.0 XS,
- Unity Pro Versions 7.0 and earlier,
- UnityLoader Versions 2.3 and earlier,
- Concept Versions 2.6 SR7 and earlier,
- ModbusCommDTM sl Versions 2.1.2 and earlier,
- PL7 Versions 4.5 SP5 and earlier,
- SFT2841 Versions 14, 13.1 and earlier, and
- OPC Factory Server Versions 3.50 and earlier.
“The affected products are mostly software-based utilities and engineering tools designed for programming and configuring process, machine, and general control applications,” the ICS-CERT advisory said. “These applications rely on a common driver to communicate with PLCs.”
This is the third time this year that ICS-CERT has issued an alert about vulnerabilities in Schneider Electric gear. In January, an advisory was sent out about a remotely exploitable resource consumption vulnerability that was patched in Schneider’s ClearSCADA software. ClearSCADA is secure remote management software designed for use in large, geographically dispersed critical infrastructure systems.
In March, the company patched vulnerabilities in Schneider OPC Factory Server, which is an interface for client applications that require access to production data in real time. The buffer overflow flaws were not remotely exploitable, yet could allow an attacker with local access to run malicious programs on a computer running the vulnerable server software.