This afternoon the DHS ICS-CERT updated a Siemens advisory for SIMATIC HMI Devices and publishes a new advisory for Schneider Electric InduSoft Wb Studio.
This update notes that Siemens is now reporting that all of the affected HMI devices now have updates available to mitigate the three vulnerabilities reported in the original advisory back in April. It also adds three different types of SIMATIC HMI panels to the list of affected and mitigated products.
This advisory describes a clear-text storage of sensitive information vulnerability in Schneider’s Electric InduSoft Web Studio and InTouch Machine. The vulnerability was originally reported by Gleb Gritsai, Alisa Esage Shevchenko, Ilya Karpov, and the team from Positive Technologies Security. Schneider has produced patches to mitigate the vulnerability but there is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker with local access can obtain project passwords from the configuration file. These can then be used to execute arbitrary code.
NOTE: The link provided in the Advisory for the Schneider report on the InduSoft version of this vulnerability does not get to the report; Schneiderdoes not yet have the vulnerability listed. Here is the direct link.