Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0017 A vulnerability has been identified in a number of Schneider Electric SCADA products 19 February 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: StruxureWare SCADA Expert Vijeo Citect Vijeo Citect CitectSCADA StruxureWare PowerSCADA Expert PowerLogic SCADA Operating System: Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade Member content until: Friday, March 21 2014 OVERVIEW A vulnerability has been identified in the following Schneider Electric products: * StruxureWare SCADA Expert Vijeo Citect v7.40 * Vijeo Citect v7.20 to v7.30SP1 * CitectSCADA v7.20 to v7.30SP1 * StruxureWare PowerSCADA Expert v7.30 to v7.30SR1 * PowerLogic SCADA v7.20 to v7.20 SR1 The vendor has indicated that older versions of these products are not affected by this vulnerability. [1] IMPACT The vendor has provided the following details regarding this vulnerability: "The vulnerability could cause a Denial of Service on the Server of the products listed below. To exploit this vulnerability an attacker must send a specially crafted packet to any of the Server processes. This vulnerability was discovered during cyber security research both by an external researcher and by Schneider Electric internal investigations. There is no evidence that this vulnerability has been exploited. This vulnerability would require network access to the target application." [1] MITIGATION The vendor has stated that a cumulative patch has been developed which addresses this vulnerability and recommends that all customers download and apply the patch. [1] Download links can be found in the vendor's original security notification. [1] REFERENCES [1] Important security notification - Cumulative update for SCADA Expert Vijeo Citect / CitectSCADA / PowerSCADA Expert http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-024-02 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUwQyahLndAQH1ShLAQLgCQ/+IhxVaCuKLv47PsDAE7nOlNMqh2tCLvq0 dIpAXV+u4MI63PSy4fhOizrvkiJAbxs4/UExqcUenrFtXC32Hl7R/39700Bvt+SC A7yqF0eDzD3+YEwX9GubQ/9j/KsVQ2l7CQLwbLrplq5sCRKMvGrjrFg9sEghejOl UvkyQ4DXtcCH13qZggIFbVyCv7IRiRHDt3WD2Aof5He9v1HTUptouO66qts9jUjl ynyiTlZxXar0wOBcPtZB1EYxDuhZ6s3qv+5LpCawmqwsDe9J/S7OsBXUzEh5RM7q gCy4kdMLOfwHQNDOwtByaeoBiOcajwci9H2jdZO9NxJUdn2L8YuBWdw36QCImK1p FunlyV2ibnvBNTK6JxY4AjaO5HeYV25hlX2Kk/+I8nouu9EfNQBZloBHFM37ZzpC 3SgObm/tgoPTXgu++fEiKV5LYfr6YhZsV+wUmqJ+HYkvQ1FDt8kcwCs7E3k0UlMS vWbbCYWiOn1K83nSZspCKwk+SeCAmA0/b4PD88tTZncMT9Nrrh2hcexGmEwI7m0d td8j7BYcPyM4XTxiEAW6QWK0trXGulgiAlynUrZ6la7jLdomQFXaeGE2xwfX/dln pjkW8zhZCQHA1Ed++xDGk4fX65ZcQMStV9i3O3WPGt1q1mzRiAHi7Yr+K4UddhTc C++7NJ2mX9s= =a/xo -----END PGP SIGNATURE-----