Today the DHS ICS-CERT published a new advisory affecting 11 separate Schneider Electric products that use the serial MODBUS driver. This advisory is based upon a stack-based buffer overflow vulnerability reported by Carsten Eiram of Risk-Based Security in a coordinated disclosure. An updated ModbusDriverSuite has been produced, but there is no indication whether or not Carsten has had a chance to verify the efficacy of that mitigation.
ICS-CERT reports that a highly skilled attacker could remotely exploit this vulnerability to execute arbitrary code.
The ICS-CERT advisory gives conflicting information about the mitigation efforts undertaken by Schneider. In one paragraph it states that the latest versions of OFS and UnityPro have been released with an updated ModbusDriverSuite and other affected systems will have that suite in their next update. The next paragraph then states that: “Schneider Electric has no immediate plan for updating the other identified software products.”
The advisory from Schneider (originally released September 13th, 2013) states:
“The ModbusDriverSuite for TwidoSuite will be available in April of 2014. Until the ModbusDriverSuite becomes available for TwidoSuite, Schneider Electric recommends using a firewall to allow only authorized systems to access TwidoSuite. OFS V3.5 and Unity Pro V8 have been released including the updated ModbusDriverSuite. For other products listed, the updated ModbusDriverSuite will be implemented with each new version of those Software Products.”
The Schneider produced advisory has some changes recorded in it. It appears that initially at least that they believed that the vulnerability could only be exploited via local access. They also apparently initially underestimated the degree of risk associated with this vulnerability; they updated the CVSS Base Score from 6.9 to 9.3 (the same value that ICS-CERT is reporting). There is no indication when these two visible changes were made to their advisory.