Schneider Electric found issues with an Authenticated Communication Risk vulnerability in the Schneider Electric Software Update utility (SESU), according to a report in ICS-CERT.
The SESU is a centralized update mechanism for updating Schneider Electric software on Windows PC. Schneider Electric has updated the SESU client as of January 2013, which adds the use of HTTPS to resolve this vulnerability. This remotely exploitable vulnerability first came to Schneider Electric from security researcher Arthur Gervais.
The following products and versions suffer from the issue:
• Unity Pro, V5.0 L, M, S, XL,
• Unity Pro, V6.0 L, M, S, XL,
• Unity Pro, V6.1 L, M, S, XL,
• Unity Pro, V0 L, M, S, XL, XLS,
• Vijeo Designer V6.0.x, V6.1.0.x, V5.0.0.x, V5.1.0.x,
• Vijeo Designer Opti V6.0.x, V5.1.0.x, V5.0.0.x,
• Web Gate Client Files V5.1.x,
• IDS V1.0, V2.0,
• PowerSuite 2.5,
• Smart Widget Acti 9 V220.127.116.11,
• Smart Widget H8035 V18.104.22.168,
• Smart Widget H8036 V22.214.171.124,
• Smart Widget PM201 V126.96.36.199,
• Smart Widget PM710 V188.8.131.52,
• Smart Widget PM750 V184.108.40.206,
• SoMachine V1.2.1,
• Spacail.pro V1.0.0.x, and
• SESU V1.0.x, V1.1.x
Successfully exploiting this vulnerability could result in arbitrary code execution.
Schneider Electric is a manufacturer and integrator of energy management equipment and software. According to Schneider Electric, their products see use in energy, industry, and building automation worldwide.
Schneider Electric software on the customer PC uses the SESU service as the mechanism of communication with the Schneider Electric central update server in order to receive periodic software updates. The SESU client on the customer PC does not check the authenticity of the origin. By redirecting messages to Port 80/TCP on an unauthorized source, an attacker could execute arbitrary code on a vulnerable system that could result in loss of availability, integrity, and confidentiality.
CVE-2013-0655 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
An attacker with a medium skill level would be able to exploit this vulnerability.
Schneider Electric has produced a customer notification that contains mitigations to resolve this vulnerability. In order to resolve the vulnerability with the software server, Schneider Electric has taken the following actions:
1. The SESU server updated to the latest version. Currently, HTTP and HTTPS get support in parallel. HTTPS does ensure signed communication.
2. The new SESU client updated as of January 2013 to use HTTPS instead of HTTP. The new version of the SESU Client will be available to customers for distribution via the SESU mechanism in January 2013.
3. Customers can also use an updated software product CD that will contain the updated SESU client, when the CD becomes available. Contact your local support desk for details.
4. While HTTP and HTTPS SESU client functionality both have support, in May the HTTP port of the SESU server will end up disabled. This means only HTTPS will get support during SESU client updates from that time forward, which mitigates this current vulnerability.