Today the DHS ICS-CERT published a control system security advisory for the Schneider Electric ClearSCADA product. It describes an improper input validation vulnerability. The vulnerability was reported by Sergey Temnikov and Vladimir Dashchenko of Kaspersky Lab’s Critical Infrastructure Defense Team. Schneider has produced new updates to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to cause the ClearSCADA server process and communications driver processes to terminate.