Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0095 InduSoft Web Studio Vulnerabilities 28 September 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Schneider Electric InduSoft Web Studio Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade Member content until: Wednesday, October 28 2015 OVERVIEW Vulnerabilities have been identified in Schneider Electric's InduSoft Web Studio prior to version 8.0. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "Vulnerability Details ZDI-CAN- 2649: InduSoft Web Studio Remote Agent Remote Code Execution Vulnerability. CVSS 7.5 (AV:L/AC:M/Au:N/C:C/I:N/A:N) ZOR Security: Unhandled code exceptions occurring during runtime of the Indusoft Web Studio, given a specially crafted Indusoft Project file. It may allow malicious attacker to achieve arbitrary code execution on the vulnerable system." [1] MITIGATION Schneider Electric recommends updating InduSoft Web Studio Version to version 8.0 which remediates the vulnerabilities. [1] REFERENCES [1] InduSoft Web Studio Vulnerabilities http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-251-01 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVgiGDH6ZAP0PgtI9AQLH/BAAu4HdCpbTjq9xZqw69ZJQYskFnyGYgnF4 HzfiDICefU6iB76BxsXtENdscGQM3VJJAGGe4GrxQjLL7jDTpALMHJF7xn0H8CwG JRqyFksptBUMIoo/WtEhkW4KW57M2sPGG2OPmYpD1gG4lxw8aVbA6j9sr0vBPfb9 v34CCLFXKor96tFbehFJAve6Zn8IXeFhOxcEs3QlolVSSgWZ03JX4rXa/q+0dAe1 y8SjelqebH9CaU/KaIMSUpTWsKNKmbF0LNwsNtlB7UkjI4QX/RwFhJrUD2MkG0hn SitHnhElAHkahnoS6JUTNMeRcdqle8T4pWiR+IWFP8JbTdAArNgvXiX6Ohtd1cgt QuQAuASfJknRXmcGYEtL9kLaq5qqTOS6rUof35Id1E4lY2FeXSjkxmNH6oUDaTFW AgRdJWif7O+PYWJvLB7w7wp+wl09QpgtUzC/DdrHMdNKeRGPcr5f1xaupiSPNfKw DMQV1DApwKt8bubzGYSox5VxeVo36IjOcV+Ssmh1hatnFd5nmMDTPaOUfrRKyir5 no56z9mHwgXjgD5X2I9amcHJVc8gkHHm/ICYcy2f0jwA2Xgpi5rkoc7U42uw7oWa 9Qg3/gcDKnTpsPXh2+5S6H44v+utrtnZU5nsue0Wui0cFbXWyo3Kb2Q1ZNTsX1Pr XUxlLAYSdQk= =rJtV -----END PGP SIGNATURE-----