Schneider Electric released a mitigation plan for its InduSoft Web Studio and InTouch Machine Edition to address a stack-based buffer overflow, according to a report with ICS-CERT.
Successful exploitation of this vulnerability, discovered by Aaron Portnoy, formerly of Exodus Intelligence, could allow a remote un-authenticated attacker to remotely execute code with high privileges.
The following versions of InduSoft Web Studio and InTouch Machine Edition, an HMI, suffer from the remotely exploitable issue:
• InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions
• InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions
An attacker with low skill level could leverage the vulnerability. In addition, public exploits are available.
The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges.
CVE-2017-14024 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
The product sees use mainly in the commercial facilities, critical manufacturing, energy, transportation systems, and water and wastewater sectors. It also sees action on a global basis.
Schneider Electric recommends:
• Users using InduSoft Web Studio v8.0 SP2 Patch 1 or prior versions are affected and should upgrade and apply InduSoft Web Studio v8.1 as soon as possible.
• Users using InTouch Machine Edition v8.0 SP2 Patch 1 or prior versions are affected and should upgrade and apply InTouch Machine Edition 2017 v8.1 as soon as possible.
Schneider Electric released Security Bulletin LFSEC00000124.