Schneider Electric has new software to mitigate a remote code execution vulnerability in its InduSoft Web Studio and InTouch Machine Edition, according to a report released Wednesday by Tenable Research.
The applications contain an overflow condition that triggers when input is not properly validated. This allows an attacker to force a stack-based buffer overflow, resulting in denial of service or potentially allowing the execution of arbitrary code, Tenable said.
The vulnerability could end up remotely exploited without authentication to execute arbitrary commands on the target system.
An attacker can completely compromise and gain control of the system, and use it as a pivot point to execute lateral transfer.
InduSoft Web Studio is a suite of tools that provides automation building blocks to develop human-machine interfaces (HMIs), Supervisory Control And Data Acquisition (SCADA) systems and embedded instrumentation solutions.
InTouch Machine Edition is an HMI/SCADA software toolset to develop applications to connect automation systems such as Programmable Logic Controllers (PLCs) and to develop interfaces for web browsers, smartphones and tablets.
Tenable found a stack-based buffer overflow in InduSoft Web Studio and InTouch Machine Edition. A threat actor could send a crafted packet to exploit the buffer overflow vulnerability using a tag, alarm, event, read or write action to execute code.
The vulnerability can be remotely exploited without authentication and targets the IWS Runtime Data Server service, by default on TCP port 1234. The software implements a custom protocol that uses various “commands.” This vulnerability is triggered through command 50, and is caused by the incorrect usage of a string conversion function, according to Tenable in a post.
The vulnerability, when exploited, could allow an unauthenticated malicious entity to remotely execute code with high privileges.
An unauthenticated remote attacker can leverage this attack to execute arbitrary code on vulnerable systems, potentially leading to full compromise of the InduSoft Web Studio or InTouch Machine Edition server machine. A threat actor can use the compromised machine to laterally transfer within the victims network and to execute further attacks. Additionally, connected HMI clients and OT devices can be exposed to attack.
Given the widespread prevalence and market share of the affected software in the OT space, and the fact that it is frequently deployed in sensitive industries, Schneider and Tenable consider this a critical vulnerability.
The InduSoft Web Studio and ITME stack-based buffer overflow has a CVSS rating of 9.8.
Schneider Electric released InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 to address this vulnerability.
Update the application by applying the appropriate patches:
• If you’re using InduSoft Web Studio v8.1 or prior versions, you should upgrade and apply InduSoft Web Studio v8.1 SP1 as soon as possible.
• If you’re using InTouch Machine Edition 2017 v8.1 or prior versions, you should upgrade and apply InTouch Machine Edition 2017 v8.1 SP1 as soon as possible.