Yesterday the DHS ICS-CERT published an advisory for an XML external entity vulnerability in three Schneider Electric products. The vulnerability was reported to Schneider by Timur Yunusov, Alexey Osipov, and Ilya Karpov of Positive Technologies.
ICS-CERT reports that a moderately skilled attacker with local access to affected systems could exploit this vulnerability to gain access to information on the system. Schneider reports that the vulnerability could also lead to a denial of service attack.
Schneider has produced a series of patches for this vulnerability for the affected systems. There is no indication in the Advisory that there has been any outside verification of the efficacy of the patches. Interestingly, the Schneider disclosure document reminds users that if they must re-install or repair the affected products that the “should first uninstall the fix, re-install\repair the affected product(s) and then reinstall the fix”. Hopefully customers will be able to ensure that this information remains prominently available over the lifetime of the product.
NOTE: Schneider publicly released their vulnerability disclosure on July 28th after making it available on their secure portal on May 9th. The ICS-CERT Advisory does not provide links to either the disclosure document or the vulnerability report.