It’s been a bad week for Schneider Electric and their customers. As of late this afternoon there have been two ICS-CERT advisories and one alert published for industrial control systems from Schneider. The latest is an advisory covering a buffer-stack overflow vulnerability in their Interactive Graphical SCADA System (IGSS) application reported by Aaron Portnoy of Exodus Intelligence in a coordinated disclosure.
According to the advisory a moderately skilled attacker could remotely exploit this vulnerability and potentially execute arbitrary code. Schneider has separate patches for the two latest versions of IGSS (V9 & V10) and Portnoy has validated these patches. For older versions of the application Schneider recommends either:
• Upgrade to a newer, mitigated version; or
• Filter communications over Port 12397/TCP to “only allow access from the specific IP addresses for the devices being controlled or monitored” (page 3).
Interestingly a tweet by Exodus Intelligence notes that “Schneider Electric has patched one of the [emphasis added] RCE vulnerabilities we reported in their IGSS SCADA product”. Do we wait for the other shoe to drop until the ICS-CERT 45-day limit expires? Oops, the 45-day ICS-CERT limit passed on November 15th of last year (See the Schneider Electric Vulnerabilities page).