Schneider Electric Vijeo Historian Web Server Multiple Vulnerabilities
ICS-CERT originally released Advisory ICSA-11-307-01P on the US-CERT secure Portal on November 03, 2011. This web page release was delayed to allow users time to download and install the update.
Researcher Kuang-Chun Hung of Security Research and Service Institute--Information and Communication Security Technology Center (ICST) has identified four vulnerabilities in the Schneider Electric Vijeo Historian product line. These vulnerabilities include a denial of service (DoS), buffer overflow, a cross-site scripting (XSS), and a directory traversal.
ICS-CERT has coordinated this report with Schneider Electric and ICST. Schneider has produced a fix that resolves these vulnerabilities. ICST has tested this fix and validated that it fully resolves these vulnerabilities.
According to Schneider Electric the following products are affected:
- Vijeo Historian V4.30 and earlier
- CitectHistorian V4.30 and earlier
- CitectSCADA Reports V4.10 and earlier.
Successful exploitation of these vulnerabilities could result in DoS, data leakage, or remote code execution.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Schneider Electric is a manufacturer and integrator of energy management equipment and software. According to Schneider Electric, its products are used worldwide. The Vijeo Historian, CitectHistorian, and CitectSCADA report products are data historian products. According to Schneider Electric, these products are used in energy, industry, and building automation.
Denial of Service
A buffer overflow vulnerability exists in the third-party TeeChart ActiveX control that could allow a remote attacker using social engineering to cause a DoS.
CVE-2011-4033 has been assigned to this vulnerability in the National Vulnerability Database (NVD).
A buffer overflow vulnerability exists in the third-party TeeChart ActiveX control that could allow a remote attacker using social engineering to cause a denial of service and/or execute arbitrary code.
CVE-2011-4034 has been assigned to this vulnerability in the NVD.
A XSS vulnerability exists that could allow remote attackers using social engineering to inject arbitrary web script or HTML via an HTTP request.
CVE-2011-4035 has been assigned to this vulnerability in the NVD.
A directory traversal vulnerability exists in the web portal allowing remote attackers to read arbitrary filesin an HTTP request.
CVE-2011-4036 has been assigned to this vulnerability in the NVD.
Three of these four vulnerabilities are remotely exploitable if used with social engineering. The directory traversal vulnerability can be exploited without social engineering.
Existence of Exploit
No publicly available exploits specifically targeting these vulnerabilities are known to exist.
An attacker with a low to moderate skill level could potentially exploit these vulnerabilities.
Schneider Electric has created a patch and has issued a customer notification describing the vulnerabilities.http://www.scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page, website last accessed November 28, 2011. Schneider Electric recommends that all customers using the above mentioned software packages download and apply the patch located at http://www.citect.com/index.php?option=com_content&view=article&id=1656&Itemid=1695.
In addition to applying the patch developed by Schneider Electric, ICS-CERT encourages asset owners to take additional defensive measures against this and other cybersecurity threats by:
- Minimizing network exposure for all control system devices. Critical devices should not directly face the Internet.
- Locating control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, using secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the CSSP web page. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks: