There are a series of vulnerabilities related to credentials and authentication in two of Schneider Electric’s HMI products, and an attacker who exploits them may be able to run arbitrary code.
The bugs lie in Schneider’s InduSoft Web Studio and InTouch Machine Edition products, both of which are embedded human-machine interface software packages. The applications are used for energy management operations in a number of industries, including IT, food and agriculture and energy.
There are several vulnerabilities in each of the packages, and an advisory from ICS-CERT says that public exploits for some of them may be circulating. One of the vulnerabilities results from the fact that the apps use a hard-coded, cleartext password to protect sensitive information that’s stored in Project Files and Project Configuration Files. Another bug is related to the authentication method used to connect to servers from the affected apps.
“When connecting to server from HMI, available user names are presented to the screen allowing for potential brute force attacks,” the advisory says.
The other two vulnerabilities derive from the fact that the applications send user credentials in cleartext and the credentials also are stored in the clear. These bugs could allow an attacker easy access to a target system.
Schneider Electric has released patches for the vulnerabilities in both InduSoft Web Studio and InTouch Machine Edition 2014 and encourages customers to install them as soon as possible.