Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0098 ICS-CERT ADVISORY ICSA-13-018-01 - SCHNEIDER ELECTRIC IGSS BUFFER OVERFLOW 22 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Schneider Electric Interactive Graphical SCADA System Publisher: US-CERT Operating System: Windows Impact/Access: Administrator Compromise -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-0657 Original Bulletin: http://www.us-cert.gov/control_systems/pdf/ICSA-13-018-01.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- ICS-CERT ADVISORY ICSA-13-018-01 - SCHNEIDER ELECTRIC IGSS BUFFER OVERFLOW January 18, 2013 OVERVIEW Independent researcher Aaron Portnoy of Exodus Intelligence has identified a buffer overflow vulnerability in Schneider Electrics Interactive Graphical SCADA System (IGSS) application. Schneider Electric has produced a patch that fully resolves this vulnerability. Aaron Portnoy has validated this patch. This vulnerability could be exploited remotely. AFFECTED PRODUCTS The Schneider Electric products affected: * IGSS application, all versions. IMPACT An exploit of this vulnerability could result in a buffer overflow that could possibly allow an attacker to execute code under administrator credentials. IGSS is employed in many sectors including renewable energy, process control, monitoring and control, motor controls, lighting controls, electrical distribution, and security systems. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. BACKGROUND Schneider Electric is a US-based company that maintains offices in 190 countries worldwide. Their products address various markets including renewable energy, process control, monitoring and control, motor controls, lighting controls, electrical distribution, and security systems. IGSS is a desktop application that is used to integrate industrial control system (ICS) components from diverse vendors using diverse sets of protocols and integrate their configuration and monitoring functions using IGSS as a single supervisory or human-machine interface (HMI) system. This software is employed worldwide in a broad range of application areas outside those market areas listed above. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW Vulnerability classifications are classified by Common Weakness Enumerations (CWE). [a] This stack-based buffer overflow is classified as CWE-121. STACK-BASED BUFFER OVERFLOW [b] IGSS communicates with a broad range of ICS devices using a broad range of protocols over two network ports, Ports (12397 and 12399)/TCP by default. This exploit has found that out-of-protocol communication over Port 12397/TCP can cause a buffer overflow condition. Although this overflow can cause the application to crash, an attacker can also apply techniques to take advantage of the buffer overflow and likely execute malicious code with administrator privileges. CVE-2013-0657 [c] has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C). [d] VULNERABILITY DETAILS EXPLOITABILITY This vulnerability can be exploited remotely. EXISTENCE OF EXPLOIT No known public exploits specifically target this vulnerability. DIFFICULTY An attacker with a moderate skill would be able to exploit this vulnerability. MITIGATION The best mitigation for this vulnerability is applying the appropriate vendor-supplied patch listed in the footnotes below. Schneider Electric has issued two patches for versions V9 [e] and V10[f] If this vulnerability is not mitigated, a remote attacker could cause a buffer overflow and allow malicious code to be executed with administrator privileges. of the IGSS software to address this vulnerability. These patches are available from the Schneider Electric Web site or directly from the links in this advisory. Aaron Portnoy of Exodus Intelligence has validated the patches. Users of this software with older versions should upgrade their software or employ other mitigation methods. At a minimum, this port should be filtered to only allow access from the specific IP addresses for the devices being controlled or monitored. General measures listed below can also be employed to help mitigate this vulnerability. ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks. * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. * Locate control system networks and remote devices behind firewalls, and isolate them from the business network. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices. ICS-CERT provides a section for control systems security recommended practices on the US-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. [g] ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures. Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01A - Cyber Intrusion Mitigation Strategies, [h] that is available for download from the ICS-CERT Web page (www.ics-cert.org). Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. Previous Recommendations can be used as needed (otherwise, delete this text). List other products that are specific to the topic (i.e., phishing mitigations): In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks: 1. Do not click Web links or open unsolicited attachments in email messages. 2. Refer to Recognizing and Avoiding Email Scams [i] for more information on avoiding email scams. 3. Refer to Avoiding Social Engineering and Phishing Attacks [j] for more information on social engineering attacks. For any questions related to this report, please contact ICS-CERT at: Email: ics-cert@hq.dhs.gov Toll Free: 1-877-776-7585 For industrial control systems security information and incident reporting: www.ics-cert.org ICS-CERT continuously strives to improve its products and services. You can help by answering a short series of questions about this product at the following URL: https://forms.us-cert.gov/ncsd-feedback/. a. CWE: Common Weakness Enumerations, http://cwe.mitre.org/data/ , Web site last accessed January 18, 2013. b. CWE-121, http://cwe.mitre.org/data/definitions/121.html , CWE-121: Stack-based Buffer Overflow, Web site last accessed January 18, 2013. c. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0657 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. d. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?name=&vector=%28AV:N/AC:L/Au:N/C:C/I:C/A:C%29&version=2 Web site last visited January 18, 2013. e. IGSS V9 Patch, http://igss.schneider-electric.com/igss/igssupdates/v90/progupdatesv90.zip , last visited January 18, 2013 f. IGSS V10 Patch, http://igss.schneider-electric.com/igss/igssupdates/v100/progupdatesv100.zip , last visited January 18, 2013 g. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html , Web site last accessed January 18, 2013. h. Cyber Intrusion Mitigation Strategies, http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf , Web site last accessed January 18, 2013. i. Recognizing and Avoiding Email Scams, http://www.us-cert.gov/reading_room/emailscams_0905.pdf , Web site last accessed January 18, 2013. j. National Cyber Alert System Cyber Security Tip ST04-014 , http://www.us-cert.gov/cas/tips/ST04-014.html, Web site last accessed January 18, 2013. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUP4koO4yVqjM2NGpAQIs4hAAvBLWYtdvbZjmruJQtt/udBNDe8aO7RC1 iQvptt471PweIH48PIoRnOvvBTTxxlSZgOsdgJtFy6h75Q219gxO9kt2C/lN/7sd kmeZdwOs/9UMKD3W5zXXEzD51qWah0TAdgL63pKm90CvVwgZGc0GMN3jr/teyWrw JlPg3B0WZw0Hc4daH3cgO5s2gwnSfGzRekiEUTfHO9vPPy0JW76mrPa4oHez1h84 zh/wkmZKKUvAvumjf4qofr1jQw8xNSukPfa1auweEAMXvchCMRDp/IlRu25X/N8V ODdb0Zr4MtP18d7jqZ3HcoHJq0aWeZ7WkRw9tv5nzBk58qYYKPDlHnFj8wmyTyjx btKSN7SYEapmSepHn1Ixsv/G904W6SYawYDiQ5FtKpxCq8Nln927BPhDozPpejOt dE3U3ggW14iU4VFr3nTJJrJharf07ydugcVKQKDFdHL73hueXL/KOOg6L1sJ/h3A ZzOuT8Ax8gRXmxPlG8ch6akT6+clNCqDFrORTf78trQYTWEGGWz+hg5OqvTX2s1M LsAXoZENcLUF2SwefGYZIC1xMY/ZNIsQ9cNMLl5SOr5kVZjZocrPVny2fVAtcWoP fCH7UADcdgXTuYlO3/SS+9IbNeKZbmxJmzHq0YzWMe+ZHN44/sJrX6ZG79Hw27Yo ggGY54FKDic= =Dapd -----END PGP SIGNATURE-----