Schneider Electric released new software to mitigate vulnerabilities in its InTouch Access Anywhere, according to a report with ICS-CERT.
The new release fixes remotely exploitable cross-site request forgery, information exposure and inadequate encryption strength vulnerabilities, discovered by Ruslan Habalov and Jan Bee of the Google ISA Assessments Team.
Wonderware InTouch Access Anywhere, version 11.5.2 and prior suffer from the vulnerabilities.
Successful exploitation of these vulnerabilities could allow an attacker to perform actions on behalf of a legitimate user, perform network reconnaissance, and gain access to resources beyond those intended with normal operation of the product.
No known public exploits specifically target these vulnerabilities. An attacker with low skill level would be able to leverage the vulnerabilities.
The affected product sees use in the critical manufacturing, energy, healthcare and public health, and water and wastewater system sectors. The product sees action on a global basis.
Schneider Electric released a new software version to address the identified vulnerabilities and recommends users of affected versions upgrade to Wonderware InTouch Access Anywhere 2017 (17.0.0).
Users of Wonderware InTouch Access Anywhere can login at the following support site to download the upgrade.
Schneider Electric issued Security Bulletin LFSEC00000114, which contains additional information.
In one vulnerability, the client request may end up forged from a different site. This will allow an external site to access internal RDP systems on behalf of the currently logged in user.
CVE-2017-5156 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
In an information exposure vulnerability, credentials may end up exposed to external systems via specific URL parameters, as arbitrary destination addresses may be specified.
CVE-2017-5158 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
In addition, the inadequate encryption strength vulnerability, the software will connect via Transport Layer Security without verifying the peer’s SSL certificate properly.
CVE-2017-5160 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.