It’s been a bad week for Schneider Electric and their
customers. As of late this afternoon there have been two ICS-CERT
advisories and one
alert published for industrial control systems from Schneider. The latest is
an advisory covering a buffer-stack overflow vulnerability in their Interactive
Graphical SCADA System (IGSS) application reported by Aaron Portnoy of Exodus Intelligence
in a coordinated disclosure.
According to the advisory a moderately skilled attacker
could remotely exploit this vulnerability and potentially execute arbitrary
code. Schneider has separate patches for the two latest versions of IGSS (V9
& V10) and Portnoy has validated these patches. For older versions of the
application Schneider recommends either:
• Upgrade to a newer, mitigated
version; or
• Filter communications over Port
12397/TCP to “only allow access from the specific IP addresses for the devices
being controlled or monitored” (page 3).
Interestingly a tweet by
Exodus Intelligence notes that “Schneider Electric has patched one
of the [emphasis
added] RCE vulnerabilities we reported in their IGSS SCADA product”. Do we wait
for the other shoe to drop until the ICS-CERT 45-day limit expires? Oops, the
45-day ICS-CERT limit passed on November 15th of last year (See
the Schneider Electric Vulnerabilities page).
Posts
No comments:
Post a Comment