SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-474289413] Schneider Electric IGSS Mobile

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2018-02-15OtherSchneider ElectricAlexander Bolshev (IOActive) and Ivan Yushkevich (Embedi) reported these vulnerabilities to Schneider Electric.N/ACVE-2017-9968 CVE-2017-9969 N/AN/AN/A

Source

						
							
								
#
# Schneider Electric IGSS Mobile
#


### VULNERABLE VENDOR
Schneider Electric


### VULNERABLE PRODUCT
IGSS Mobile 


### RESEARCHER
Alexander Bolshev (IOActive) and Ivan Yushkevich (Embedi) reported these vulnerabilities to Schneider Electric.


### AFFECTED PRODUCTS
Schneider Electric reports that the vulnerabilities affect the following IGSS Mobile products:

IGSS Mobile for Android, version 3.01 and all versions prior, and
IGSS Mobile for iOS, version 3.01 and all versions prior


### IMPACT
Successful exploitation of these vulnerabilities could allow an attacker to execute a man-in-the-middle attack. In addition, passwords can be accessed by unauthorized users.


### VULNERABILITY OVERVIEW
IMPROPER CERTIFICATE VALIDATION CWE-295
IGSS Mobile app lacks certificate pinning during the TLS/SSL connection establishing process.
This issue could allow an attacker to execute a man-in-the-middle attack.
CVE-2017-9968 has been assigned to this vulnerability.
A CVSS v3 base score of 6.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)


PLAINTEXT STORAGE OF A PASSWORD CWE-256
IGSS Mobile app passwords are stored in clear-text in the configuration file.
CVE-2017-9969 has been assigned to this vulnerability.
A CVSS v3 base score of 6.0 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)





### BACKGROUND
Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: France




### MITIGATION

An update for Android with the fix for these vulnerabilities is available for download on Google Play:

https://play.google.com/store/apps/details?id=dk.schneiderelectric.igssmobile


An update for iOS with the fix for these vulnerabilities is available on Apple Store:

https://itunes.apple.com/dk/app/igss-mobile/id871698051


For more information on these vulnerabilities and associated patch, please see Schneider Electric’s security notification SEVD-2018-039-02 on their website:

https://www.schneider-electric.com/en/download/document/SEVD-2018-039-02/