SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-527284388] Schneider Electric InduSoft Web Studio and InTouch Machine Edition

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2018-04-17OtherSchneider ElectricTenable Research reported this vulnerability to Schneider Electric Software, LLC and Schneider Electric Software, LLC coordinateN/ACVE-2018-8840 N/AN/AN/A

Source

						
							
								
#

# Schneider Electric InduSoft Web Studio and InTouch Machine Edition

#





### VULNERABLE VENDOR

Schneider Electric





### VULNERABLE PRODUCT

InduSoft Web Studio, InTouch Machine Edition 





### RESEARCHER

Tenable Research reported this vulnerability to Schneider Electric Software, LLC and Schneider Electric Software, LLC coordinated with NCCIC.





### AFFECTED PRODUCTS

The following versions of InduSoft Web Studio and InTouch Machine Edition, an HMI, are affected:



InduSoft Web Studio v8.1 and prior versions, and

InTouch Machine Edition 2017 v8.1 and prior versions





### IMPACT







### VULNERABILITY OVERVIEW

3.2.1   STACK-BASED BUFFER OVERFLOW CWE-121

A remote attacker could send a carefully crafted packet during a tag, alarm, or event related action such as read and write, which may allow remote code execution.

CVE-2018-8840 has been assigned to this vulnerability.

A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)






### BACKGROUND

Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater Systems  

Countries/Areas Deployed: Worldwide

Company Headquarters Location: France






### MITIGATION



Schneider Electric Software, LLC recommends:



Users using InduSoft Web Studio v8.1 or prior versions are affected and should upgrade and apply InduSoft Web Studio v8.1 SP1 as soon as possible.



Users using InTouch Machine Edition 2017 v8.1 or prior versions are affected and should upgrade and apply InTouch Machine Edition 2017 v8.1 SP1 as soon as possible.



Schneider Electric Software, LLC has also released Security Bulletin LFSEC00000125 that can be found at:



http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000125/