Schneider Electric has an update to mitigate an improper certificate validation and plaintext storage of a password vulnerabilities in its IGSS Mobile, according to a report with ICS-CERT.
Successful exploitation of these locally exploitable vulnerabilities, discovered by Alexander Bolshev (IOActive) and Ivan Yushkevich (Embedi), could allow an attacker to execute a man-in-the-middle attack. In addition, passwords can be accessed by unauthorized users.
The vulnerabilities affect the following IGSS Mobile products:
• IGSS Mobile for Android, version 3.01 and all versions prior
• IGSS Mobile for iOS, version 3.01 and all versions prior
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
In one vulnerability, the IGSS Mobile app lacks certificate pinning during the TLS/SSL connection establishing process. This issue could allow an attacker to execute a man-in-the-middle attack.
CVE-2017-9968 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.4.
In another issue, IGSS Mobile app passwords are stored in clear-text in the configuration file.
CVE-2017-9969 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.0.
The product sees use in the commercial facilities, critical manufacturing and energy sectors. It also sees action on a global basis.
An update for Android with the fix for these vulnerabilities is available for download on Google Play.
An update for iOS with the fix for these vulnerabilities is available on Apple Store.
For more information on these vulnerabilities and associated patch, see Schneider Electric’s security notification SEVD-2018-039-02.