|2018-02-15||Other||Schneider Electric||Alexander Bolshev (IOActive) and Ivan Yushkevich (Embedi) reported these vulnerabilities to Schneider Electric.||N/A||CVE-2017-9968 CVE-2017-9969 ||N/A||N/A||N/A|
# Schneider Electric IGSS Mobile
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
Alexander Bolshev (IOActive) and Ivan Yushkevich (Embedi) reported these vulnerabilities to Schneider Electric.
### AFFECTED PRODUCTS
Schneider Electric reports that the vulnerabilities affect the following IGSS Mobile products:
IGSS Mobile for Android, version 3.01 and all versions prior, and
IGSS Mobile for iOS, version 3.01 and all versions prior
Successful exploitation of these vulnerabilities could allow an attacker to execute a man-in-the-middle attack. In addition, passwords can be accessed by unauthorized users.
### VULNERABILITY OVERVIEW
IMPROPER CERTIFICATE VALIDATION CWE-295
IGSS Mobile app lacks certificate pinning during the TLS/SSL connection establishing process.
This issue could allow an attacker to execute a man-in-the-middle attack.
CVE-2017-9968 has been assigned to this vulnerability.
A CVSS v3 base score of 6.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
PLAINTEXT STORAGE OF A PASSWORD CWE-256
IGSS Mobile app passwords are stored in clear-text in the configuration file.
CVE-2017-9969 has been assigned to this vulnerability.
A CVSS v3 base score of 6.0 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: France
An update for Android with the fix for these vulnerabilities is available for download on Google Play:
An update for iOS with the fix for these vulnerabilities is available on Apple Store:
For more information on these vulnerabilities and associated patch, please see Schneider Electric’s security notification SEVD-2018-039-02 on their website: