This afternoon the DHS ICS-CERT published advisories on two separate Schneider applications, OPC Factory Server (OFS) and Floating License Manager. It appears that both vulnerabilities were self-reported and mitigations have been provided and communicated to customers.
This advisory is for a stack buffer overflow vulnerability. Schneider reports that the vulnerability exists in the C++ sample client supplied with the OFS product line. Schneider included this sample client for illustrative purposes only and does not recommend its use in a production environment. Newer versions of the OFS do not contain this vulnerability and Schneider recommends upgrading to the newer version or removing the sample client.
ICS-CERT reports that a moderately skilled attacker with physical access could exploit this vulnerability to start malicious programs on the system or execute arbitrary code.
Schneider reported this vulnerability to their customers on January 31st, 2014.
Floating License Manager Advisory
This advisory is for an unquoted service path vulnerability in one of the services installed by the Floating License Manager. Schneider reports that when “the executable path of a service contains blanks, attackers can exploit this to start malicious programs as Windows services”. They note that when the service paths in the registry are surrounded by quotes this vulnerability has no effect.
ICS-CERT reports that a moderately skilled attacker can exploit this vulnerability to execute malicious programs. The vulnerability is not reportedly subject to remote exploitation.
Schneider first published this vulnerability on January 16th and updated their advisory on January 31st. Customers were notified of the availability of an update via the Schneider Electric Software Update system.
Schneider is to be commended for discovering, fixing and reporting these vulnerabilities. The apparent delay in notifying ICS-CERT of the vulnerability is off-set by the fact that mitigation methods were made available to their customers while Schneider waited to notify ICS-CERT.