A cyber-security firm, has found a remote code execution vulnerability in Schneider Electric's flagship industrial controller management software, Unity Pro. Indegy released a report on the flaw on Tuesday. The vulnerability allows hackers to remotely execute code onto industrial control systems networks.
Schneider Electric has said that all versions of Unity Pro, including the latest, version 11.1, are impacted. Indegy has highlighted that the vulnerability does not require a compromise of the controllers in an ICS network because, “the industrial controllers lack authentication and industrial communications protocols lack encryption.”
Schneider Electric's description of the vulnerability says that the flaw occurs when a Unity instance is compiled as x86 and loaded onto the programmable logic controller simulator. It explained: “it is possible to make the simulator execute malicious code by redirecting the control flow of these instructions: By implanting arbitrary shellcode in free space of a Unity Pro project, then download and execute the patched project to the simulator.”