Schneider Electric has a mitigation plan to fix a remotely exploitable credentials management vulnerability in its Wonderware historian product, according to a report with ICS-CERT.
Wonderware Historian 2014 R2 SP1 P01 and earlier suffer from the remotely exploitable vulnerability. Ruslan Habalov and Jan Bee of the Google ISA Assessments Team discovered this vulnerability.
Successful exploitation of this vulnerability could allow a malicious entity to compromise Historian databases. In some installation scenarios, SQL resources beyond those created by Wonderware Historian may be compromised as well.
Wonderware Historian creates logins with default passwords, which can allow a malicious entity to compromise historian databases. In some installation scenarios, resources beyond those created by Wonderware Historian may be compromised as well.
CVE-2017-5155 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3. An attacker would need a low skill level to exploit the vulnerability.
Schneider Electric recommends the following steps to mitigate this vulnerability:
1. Identify where the logins are used. Some likely places for the logins to have been used are:
• Wonderware Historian Client
• Wonderware InTouch and Application Object scripts
• Wonderware Information Server configuration
2. Custom applications not supplied by Schneider Electric that interact with Historian data
3. Logins that are not used should be disabled from the SQL Server Management Studio
4. For logins that are still in use, the passwords should be changed from the default
For an increased level of security, Schneider Electric and Microsoft further advise that connectivity to SQL Server be accomplished with Windows Integrated Security as opposed to using native SQL logins.