Today the DHS ICS-CERT published an advisory for multiple vulnerabilities in two Schneider Electric products, InduSoft WebStudio and InTouch Machine. The vulnerabilities were reported by Gleb Gritsai, Ilya Karpov, and Kirill Nesterov of Positive Technologies Security Lab and independent researcher Alisa Esage Shevcheckno. Schneider has produced patches for the products, but there is no indication that the researchers were provided the opportunity to verify the efficacy of the fix.
The vulnerabilities include:
∙ Hard-coded credentials - CVE-2015-0996;
∙ Authentication - CVE-2015-0997; and
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code. They also mention that there may be exploits for these vulnerabilities publicly available.