This afternoon the DHS ICS-CERT published an advisory for input project-file validation vulnerability in the Schneider ClearSCADA application. The vulnerability was discovered by Andrew Brooks and coordinated through the Zero Day Initiative (ZDI; it is not yet listed on the ZDI web site). The vulnerability is located in the optional PLC Driver in the KepServerEX V4 component; this is a third-party component of the ClearSCADA application.
ICS-CERT reports that a moderately skilled attacker with local system access could exploit this vulnerability to cause the system to crash. Schneider recommends that customers uninstall the Kepware driver in the vulnerable product versions and migrate to an external installation of KepServerEX V5. That version does not contain this vulnerability.
According to the advisory published by Schneider, they had recommended a year and a half-ago that customers should take the action being recommended in the ICS-CERT Advisory because of other stability issues with the driver.
Since this is a third-party component of the system, the obvious question that must be asked is does this same PLC Driver show up in other controls systems? If it does, are they also vulnerable? And, finally, how would a control system owner be able to tell?