ICS-CERT Published Schneider Advisory

Today the DHS ICS-CERT published an advisory for multiple vulnerabilities in two Schneider Electric products, InduSoft WebStudio and InTouch Machine. The vulnerabilities were reported by Gleb Gritsai, Ilya Karpov, and Kirill Nesterov of Positive Technologies Security Lab and independent researcher Alisa Esage Shevcheckno. Schneider has produced patches for the products, but there is no indication that the researchers were provided the opportunity to verify the efficacy of the fix.

The vulnerabilities include:

∙ Hard-coded credentials - CVE-2015-0996;

∙ Authentication - CVE-2015-0997; and

∙ Clear-text transmission of sensitive information - CVE-2015-0998 and CVE-2015-0999.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code. They also mention that there may be exploits for these vulnerabilities publicly available.

Schneider published separate advisories for the two product lines (here and here). The two advisories are nearly identical and neither mention publicly available exploits. They were also both published over a month ago. There is no indication about why ICS-CERT only recently got the information.