ESB-2018.0459 - [Appliance] Schneider Electric IGSS SCADA Software: Execute arbitrary code/commands - Existing account 2018-02-15

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0459
          Schneider Electric IGSS SCADA Software security update
                             15 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Schneider Electric IGSS SCADA Software
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-9967  

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSA-18-044-02

- --------------------------BEGIN INCLUDED TEXT--------------------

This advisory contains mitigation details for a security misconfiguration 
vulnerability in Schneider Electric's IDSS SCADA software.

Advisory (ICSA-18-044-02)
Schneider Electric IGSS SCADA Software
Original release date: February 13, 2018

All information products included in http://ics-cert.us-cert.gov are provided 
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product 
is governed by the Traffic Light Protocol (TLP) marking in the header. For more 
information about TLP, see http://www.us-cert.gov/tlp/.

CVSS v3 7.0

ATTENTION: Locally exploitable/high skill level to exploit.

Vendor: Schneider Electric

Equipment: IGSS SCADA Software

Vulnerability: Security Misconfiguration

AFFECTED PRODUCTS

Schneider Electric reports that the vulnerability affects the following IGSS 
SCADA Software products:

    IGSS SCADA Software V12 and all previous versions.

IMPACT

Successful exploitation of this vulnerability could cause the device the 
attacker is accessing to crash or execute arbitrary code.

MITIGATION

Schneider Electric has provided IGSS SCADA Software V13 to address this 
vulnerability. Users are recommended to update to V13 using the following link.

http://igss.schneider-electric.com/products/igss/download/licensed-versions.aspx 
(link is external)

NCCIC recommends users take defensive measures to minimize the risk of exploitation 
of this vulnerability. Specifically, users should:

    Do not click web links or open unsolicited attachments in email messages.

    Refer to Recognizing and Avoiding Email Scams for more information on 
    avoiding email scams.

    Refer to Avoiding Social Engineering and Phishing Attacks for more information 
    on social engineering attacks.

NCCIC reminds organizations to perform proper impact analysis and risk assessment 
prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices 
on the ICS-CERT web page. Several recommended practices are available for reading 
and download, including Improving Industrial Control Systems Cybersecurity with 
Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in 
the NCCIC Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion 
Detection and Mitigation Strategies, that is available for download from the 
ICS-CERT website.

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to NCCIC for tracking 
and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability 
is not remotely exploitable.

VULNERABILITY OVERVIEW

SECURITY MISCONFIGURATION CWE-815

Memory protection settings such as address space layout randomization (ASLR) and 
data execution prevention (DEP) are not properly implemented.

CVE-2017-9967 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 
has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L).

RESEARCHER

Ivan Sanchez of Nullcode reported this vulnerability to NCCIC.

BACKGROUND

Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, 
Energy

Countries/Areas Deployed: Worldwide

Company Headquarters Location: France

Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov (link sends e-mail)
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  
http://ics-cert.us-cert.gov 
or incident reporting:  
https://ics-cert.us-cert.gov/Report-Incident?

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWoUPm4x+lLeg9Ub1AQhLsRAAlYh6j9PQ/M99QfxHSA4qdn3+OqevsoCd
uhPxUHhPYtJgc/l5f5zH8dIeJ7WUMgjw+EXxCkM8K0E7rf2aZmoUOq33LI06rrKK
R2wQOtMe9gvi3ewfX4XB183ok/YzxVwZ20595nl+P4RWNfQwL17t+xnb9AFKHkhH
i/xX02ulFtalUDEIBZ+NOk+D0zYKfdaMwkFzeGksGGzBVAlfi8BiH7/AgFOuO/tX
3IFeMID70lZCI+X0oTWXM/YyQlnH8/VebQkzH9U7jrt2Y0Hgh5INxyVlQpVNR6/G
F4O9/Q/THec6sh/Aeb513wE0sYLw4iWWwVjHrJVRDq6fpLqSN8W0W//dC0xM6GiZ
R1posatpoAlkpIQRqHDzXFMVeLNebyf5cZFD5zgDdpsmNjXAxqRgUvbPCXNGf7gq
V+Rh4XzU8guWQyBo9fSRRbP7AnnnvW0Lcj5lXYiNUa9OvP0fMM9b03jd3fPpW0w3
kwlbopQu2dYpaOEE6ic6p2hPFhvwVmFNPB0nSKVeJ7Qkbkx0dKzjWINHH2w9BEB+
N/s3jM9Yqni9ylw88K8oQgjsga5fahk6ul/yng2yzsnOuZFcaiDh3bNTI8RPGAPf
UKGJND53l4UYk6+hNhIyjLzWA4+huGRrniQEwgRJIGLkKR5uN94WGTQ5ykhBrMTn
xU8oLueiZoA=
=Sh0e
-----END PGP SIGNATURE-----

« Back to bulletins