SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-877347599] Schneider Electric InduSoft Web Studio and InTouch Machine Edition

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-11-09OtherSchneider ElectricAaron Portnoy, formerly of Exodus Intelligence, reported the vulnerability to Schneider Electric. N/ACVE-2017-1402 N/AN/AN/A

Source

						
							
								
#
# Schneider Electric InduSoft Web Studio and InTouch Machine Edition
#


### VULNERABLE VENDOR
Schneider Electric


### VULNERABLE PRODUCT
InduSoft Web Studio, InTouch Machine Edition



### RESEARCHER
Aaron Portnoy, formerly of Exodus Intelligence, reported the vulnerability to Schneider Electric.



### AFFECTED PRODUCTS

The following versions of InduSoft Web Studio and InTouch Machine Edition, an HMI, are affected:

InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions, and
InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions.



### IMPACT

Successful exploitation of this vulnerability could allow a remote un-authenticated attacker to remotely execute code with high privileges.



### VULNERABILITY OVERVIEW

STACK-BASED BUFFER OVERFLOW CWE-121
The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges.
CVE-2017-14024 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)





### BACKGROUND

Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: France




### MITIGATION

Schneider Electric recommends:

Users using InduSoft Web Studio v8.0 SP2 Patch 1 or prior versions are affected and should upgrade and apply InduSoft Web Studio v8.1 as soon as possible.

Users using InTouch Machine Edition v8.0 SP2 Patch 1 or prior versions are affected and should upgrade and apply InTouch Machine Edition 2017 v8.1 as soon as possible.

Schneider Electric has also released Security Bulletin LFSEC00000124 that can be found at:

http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000124/