Tenable Security researchers have revealed a Zero Day flaw in two Schneider Electric industrial controllers that if exploited could give an attacker an attack the ability to remotely execute code with high privileges.
The flaw can be found in two Schneider products, InduSoft Web Studio and InTouch Machine Edition which are used to manage industrial processes in oil and gas and other industries. The issue is a stack-based overflow that can be exploited through a specially crafted packet and exploit the buffer overflow using a tag alarm, read or write action to execute code.
“The vulnerability can be remotely exploited without authentication and targets the IWS Runtime Data Server service, by default on TCP port 1234. The software implements a custom protocol that uses various “commands.” This vulnerability is triggered through command 50, and is caused by the incorrect usage of a string conversion function,” the Tenable report stated.
This could potentially lead to a full compromise of the two software platforms with the worst case scenario being that the attacker could then move laterally from the infected computer throughout the network. Tenable also noted that connected HMI clients and OT devices can possibly be victimised.
InduSoft Web Studio is a collection of automation tools that provide the building blocks to develop HMIs (human-machine interfaces), SCADA systems and embedded instrumentation solutions, while InTouch Machine Edition is an HMI/SCADA software designed to provide everything from advanced HMI applications to small-footprint embedded devices, according to Schneider.
“While this single vulnerability is serious, the bigger problem is the general lack of security hygiene in our critical infrastructure. The lack of patching discipline in industrial controllers has created a Swiss cheese of entry points for adversaries to compromise electrical grids, water systems and other critical infrastructure. And in fact, many of these systems may already be compromised – which makes it more critical than ever for infrastructure operators to adopt modern security best practices,” Brian Wrozek, Optiv Security's infrastructure security expert, told SC Media.
The issues can be repaired by downloading the latest version of each software InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1.