SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-681441630] Schneider Electric StruxureOn Gateway

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2018-02-15OtherSchneider ElectricSchneider Electric reported this vulnerability to NCCIC.N/ACVE-2017-9970 N/AN/AN/A

Source

						
							
								
#
# Schneider Electric StruxureOn Gateway
#


### VULNERABLE VENDOR
Schneider Electric


### VULNERABLE PRODUCT
StruxureOn Gateway 


### RESEARCHER
Schneider Electric reported this vulnerability to NCCIC.


### AFFECTED PRODUCTS
Schneider Electric reports that the vulnerability affects the following versions of StruxureOn Gateway, a software management platform:

StruxureOn Gateway, all versions prior to 1.2



### IMPACT
Successful exploitation of this vulnerability could allow a remote attacker to upload a malicious file to any directory on the device, which could lead to remote code execution.


### VULNERABILITY OVERVIEW
UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
Uploading a zip file with modified metadata may allow remote code execution.
CVE-2017-9970 has been assigned to this vulnerability.
A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)





### BACKGROUND
Critical Infrastructure Sectors: Critical Manufacturing, Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: France




### MITIGATION

Schneider Electric has released a new version of the software located at:

https://struxureon.com/download-and-set-up-struxureon-gateway/


For more information on these vulnerabilities and associated patch, please see Schneider Electric’s security notification SEVD-2018-039-01 on their website:

https://www.schneider-electric.com/en/download/document/SEVD-2018-039-01/


Schneider Electric reports that, in addition to upgrading to version 1.2, users should ensure they change the default passwords as this vulnerability requires authenticated access.