Schneider Electric InduSoft Web Studio: Execute Arbitrary Code/Commands -- Remote/Unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2015.0095
                    InduSoft Web Studio Vulnerabilities
                             28 September 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Schneider Electric InduSoft Web Studio
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
Member content until: Wednesday, October 28 2015

OVERVIEW

        Vulnerabilities have been identified in Schneider Electric's InduSoft
        Web Studio prior to version 8.0. [1]


IMPACT

        The vendor has provided the following details regarding these
        vulnerabilities:
        
        "Vulnerability Details
        
        ZDI-CAN- 2649: InduSoft Web Studio Remote Agent Remote Code Execution 
        Vulnerability. 
        
        CVSS 7.5 (AV:L/AC:M/Au:N/C:C/I:N/A:N)
        
        ZOR Security: Unhandled code exceptions occurring during runtime of the
        Indusoft Web Studio, given a specially crafted Indusoft Project file.
        
        It may allow malicious attacker to achieve arbitrary code execution on 
        the vulnerable system." [1]


MITIGATION

        Schneider Electric recommends updating InduSoft Web Studio Version to
        version 8.0 which remediates the vulnerabilities. [1]


REFERENCES

        [1] InduSoft Web Studio Vulnerabilities
            http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-251-01

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVgiGDH6ZAP0PgtI9AQLH/BAAu4HdCpbTjq9xZqw69ZJQYskFnyGYgnF4
HzfiDICefU6iB76BxsXtENdscGQM3VJJAGGe4GrxQjLL7jDTpALMHJF7xn0H8CwG
JRqyFksptBUMIoo/WtEhkW4KW57M2sPGG2OPmYpD1gG4lxw8aVbA6j9sr0vBPfb9
v34CCLFXKor96tFbehFJAve6Zn8IXeFhOxcEs3QlolVSSgWZ03JX4rXa/q+0dAe1
y8SjelqebH9CaU/KaIMSUpTWsKNKmbF0LNwsNtlB7UkjI4QX/RwFhJrUD2MkG0hn
SitHnhElAHkahnoS6JUTNMeRcdqle8T4pWiR+IWFP8JbTdAArNgvXiX6Ohtd1cgt
QuQAuASfJknRXmcGYEtL9kLaq5qqTOS6rUof35Id1E4lY2FeXSjkxmNH6oUDaTFW
AgRdJWif7O+PYWJvLB7w7wp+wl09QpgtUzC/DdrHMdNKeRGPcr5f1xaupiSPNfKw
DMQV1DApwKt8bubzGYSox5VxeVo36IjOcV+Ssmh1hatnFd5nmMDTPaOUfrRKyir5
no56z9mHwgXjgD5X2I9amcHJVc8gkHHm/ICYcy2f0jwA2Xgpi5rkoc7U42uw7oWa
9Qg3/gcDKnTpsPXh2+5S6H44v+utrtnZU5nsue0Wui0cFbXWyo3Kb2Q1ZNTsX1Pr
XUxlLAYSdQk=
=rJtV
-----END PGP SIGNATURE-----