Today the DHS ICS-CERT published an advisory for an improper authorization vulnerability in the Schneider Electric MiCOM S1 Studio Software. The vulnerability was reported by Michael Toecker of Digital Bond in a coordinated disclosure before Digital Bond’s S-4 Conference and then made a presentation of the vulnerability at the S-4 Conference.
ICS-CERT reports that a highly skilled attacker with network access could exploit this vulnerability to cause the system to run arbitrary code or execute a denial of service attack. Schneider has addressed this vulnerability through a trio of recommended practices which would, according to Schneider, mitigate the vulnerability. Those practices include:
• Standard practices always encourage users to validate the downloaded parameters through the devices’ front panel HMI;
• Schneider Electric recommends users employ best IT practices to secure their computer with authorized user login and password protection;
• On Windows 7 configured computers, use of User Access Control (UAC) can further improve the security of the computer; and
• Users who are not directly using this software on a regular basis are strongly encouraged to delete this application from their computer to reduce the likelihood of attack.