(I)IoT Security News
News, Vulnerabilities

Schneider Electric IIoT Monitor

 EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote attacker to access files available to system users, arbitrarily upload and execute malicious files, and embed incorrect documents into the system output to expose restricted information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of IIoT Monitor, a monitoring platform, are affected:

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

A path traversal vulnerability exists, which may allow access to files available to SYSTEM user.

CVE-2018-7835 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2    UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

An unrestricted upload of a file with dangerous type vulnerability exists in the IIoT Monitor software that could allow the uploading and execution of malicious files.

CVE-2018-7836 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).

3.2.3    IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE (‘XXE’) CWE-611

There is an XXE vulnerability in the IIoT Monitor software that may allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information.

CVE-2018-7837 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

3.4 RESEARCHER

Trend Micro’s Zero Day Initiative working with rgod reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Schneider Electric recommends that affected users contact Schneider Electric customer support at https://www.schneider-electric.com/en/work/support/contacts.jsp for assistance in migrating to the latest software to resolve the issues.

Schneider Electric has also released a security notification that can be found at:

https://www.schneider-electric.com/en/download/document/SEVD-2018-354-03/

Schneider Electric strongly recommends implementing industry cybersecurity best practices, such as:

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

NCCIC also recommends that users take the following measures to protect themselves from social engineering attacks:

No known public exploits specifically target these vulnerabilities.

 

Source:

https://ics-cert.us-cert.gov/advisories/ICSA-19-008-02

 

Related posts

Rockwell Automation RSLinx Classic

(I) IoT
6 years ago

Medtronic 2090 Carelink Programmer Vulnerabilities (Update C)

(I) IoT
5 years ago

Schneider Electric PLC Simulator for EcoStruxure Control Expert

(I) IoT
4 years ago
Exit mobile version