Critical remotely exploitable Schneider bug threatens industrial plants

Industrial firms using two software products from Schneider Electric are being urged to apply patches for a critical flaw that may allow remote attackers to disrupt or cripple plant operations. 

Security firm Tenable issued an warning today about a critical vulnerability affecting Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition, two software products deployed across the globe in water, manufacturing, oil and gas, automotive, and wind and solar power facilities. 

The US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) advisory indicates the bugs were given a CVSS v3 score of 9.8 out of a possible 10. Fortunately, firms using the affected software have had several weeks to patch systems. ICS-CERT issued its alert on April 18, two weeks after Schneider Electric released its patches on April 6.       

Customers using InduSoft Web Studio v8.1 or earlier were urged to update as as possible to InduSoft Web Studio v8.1 SP1. Customers using InTouch Machine Edition 2017 v8.1 and earlier were urged to updated to InTouch Machine Edition 2017 v8.1 SP1.   

A stack-based buffer overflow flaw in the software may allow malicious code to be executed after an attacker sends a specially crafted packet to a vulnerable system. Schneider Electric warned it could “lead to a complete compromise” of servers running the software. The software is deployed on machines running Windows, Windows Server, and Windows Embedded. 

According to Tenable, a remote attacker without the right credentials can exploit the flaw if they know a specific command used by the InduSoft Web Studio Runtime Data Server service.       

The bug serves as a reminder of of the additional dangers that come with connecting previously isolated systems for monitoring operations. 

“Digital transformation has made its way to critical infrastructure, connecting once-isolated systems to the outside world,” said Dave Cole, chief product officer, Tenable. “This Schneider Electric vulnerability is particularly concerning because of the potential access it grants cybercriminals looking to do serious damage to mission-critical systems that quite literally power our communities.”

US-CERT in March put critical infrastructure providers on alert over Russian government efforts targeting organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. 

Their actions including spear-phishing, creating watering-hole domains, and credential gathering, and often targeted third-party suppliers of the intended target. 

Cisco in April also warned of an increased number of attacks targeting Cisco switches used by critical infrastructure providers. The company, pointing to US-CERT's March warning, suggested government or state-sponsored hackers were targeting insecurely configured instances of the Cisco Smart Install Client.