Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0098
ICS-CERT ADVISORY ICSA-13-018-01 - SCHNEIDER ELECTRIC IGSS BUFFER OVERFLOW
22 January 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Schneider Electric Interactive Graphical SCADA System
Publisher: US-CERT
Operating System: Windows
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0657
Original Bulletin:
http://www.us-cert.gov/control_systems/pdf/ICSA-13-018-01.pdf
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS-CERT ADVISORY ICSA-13-018-01 - SCHNEIDER ELECTRIC IGSS BUFFER OVERFLOW
January 18, 2013
OVERVIEW
Independent researcher Aaron Portnoy of Exodus Intelligence has identified a
buffer overflow vulnerability in Schneider Electrics Interactive Graphical
SCADA System (IGSS) application. Schneider Electric has produced a patch that
fully resolves this vulnerability. Aaron Portnoy has validated this patch.
This vulnerability could be exploited remotely.
AFFECTED PRODUCTS
The Schneider Electric products affected:
* IGSS application, all versions.
IMPACT
An exploit of this vulnerability could result in a buffer overflow that could
possibly allow an attacker to execute code under administrator credentials.
IGSS is employed in many sectors including renewable energy, process control,
monitoring and control, motor controls, lighting controls, electrical
distribution, and security systems. Impact to individual organizations depends
on many factors that are unique to each organization. ICS-CERT recommends that
organizations evaluate the impact of this vulnerability based on their
operational environment, architecture, and product implementation.
BACKGROUND
Schneider Electric is a US-based company that maintains offices in 190
countries worldwide. Their products address various markets including
renewable energy, process control, monitoring and control, motor controls,
lighting controls, electrical distribution, and security systems.
IGSS is a desktop application that is used to integrate industrial control
system (ICS) components from diverse vendors using diverse sets of protocols
and integrate their configuration and monitoring functions using IGSS as a
single supervisory or human-machine interface (HMI) system. This software is
employed worldwide in a broad range of application areas outside those market
areas listed above.
VULNERABILITY CHARACTERIZATION
VULNERABILITY OVERVIEW
Vulnerability classifications are classified by Common Weakness Enumerations
(CWE). [a] This stack-based buffer overflow is classified as CWE-121.
STACK-BASED BUFFER OVERFLOW [b]
IGSS communicates with a broad range of ICS devices using a broad range of
protocols over two network ports, Ports (12397 and 12399)/TCP by default. This
exploit has found that out-of-protocol communication over Port 12397/TCP can
cause a buffer overflow condition. Although this overflow can cause the
application to crash, an attacker can also apply techniques to take advantage
of the buffer overflow and likely execute malicious code with administrator
privileges.
CVE-2013-0657 [c] has been assigned to this vulnerability. A CVSS v2 base
score of 10.0 has been assigned; the CVSS vector string is
(AV:N/AC:L/Au:N/C:C/I:C/A:C). [d]
VULNERABILITY DETAILS
EXPLOITABILITY
This vulnerability can be exploited remotely.
EXISTENCE OF EXPLOIT
No known public exploits specifically target this vulnerability.
DIFFICULTY
An attacker with a moderate skill would be able to exploit this vulnerability.
MITIGATION
The best mitigation for this vulnerability is applying the appropriate
vendor-supplied patch listed in the footnotes below. Schneider Electric has
issued two patches for versions V9 [e] and V10[f] If this vulnerability is not
mitigated, a remote attacker could cause a buffer overflow and allow malicious
code to be executed with administrator privileges. of the IGSS software to
address this vulnerability. These patches are available from the Schneider
Electric Web site or directly from the links in this advisory. Aaron Portnoy
of Exodus Intelligence has validated the patches. Users of this software with
older versions should upgrade their software or employ other mitigation
methods. At a minimum, this port should be filtered to only allow access from
the specific IP addresses for the devices being controlled or monitored.
General measures listed below can also be employed to help mitigate this
vulnerability.
ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks.
* Minimize network exposure for all control system devices. Critical devices
should not directly face the Internet.
* Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
* When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPN is only as secure as the connected
devices.
ICS-CERT provides a section for control systems security recommended practices
on the US-CERT Web page. Several recommended practices are available for
reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies. [g] ICS-CERT reminds
organizations to perform proper impact analysis and risk assessment prior to
taking defensive measures.
Additional mitigation guidance and recommended practices are publicly
available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01A -
Cyber Intrusion Mitigation Strategies, [h] that is available for download from
the ICS-CERT Web page (www.ics-cert.org). Organizations observing any
suspected malicious activity should follow their established internal
procedures and report their findings to ICS-CERT for tracking and correlation
against other incidents.
Previous Recommendations can be used as needed (otherwise, delete this text).
List other products that are specific to the topic (i.e., phishing
mitigations): In addition, ICS-CERT recommends that users take the following
measures to protect themselves from social engineering attacks:
1. Do not click Web links or open unsolicited attachments in email messages.
2. Refer to Recognizing and Avoiding Email Scams [i] for more information on
avoiding email scams.
3. Refer to Avoiding Social Engineering and Phishing Attacks [j] for more
information on social engineering attacks.
For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@hq.dhs.gov Toll Free: 1-877-776-7585
For industrial control systems security information and incident reporting:
www.ics-cert.org
ICS-CERT continuously strives to improve its products and services. You can
help by answering a short series of questions about this product at the
following URL: https://forms.us-cert.gov/ncsd-feedback/.
a. CWE: Common Weakness Enumerations, http://cwe.mitre.org/data/ , Web site
last accessed January 18, 2013.
b. CWE-121, http://cwe.mitre.org/data/definitions/121.html , CWE-121:
Stack-based Buffer Overflow, Web site last accessed January 18, 2013.
c. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0657 , NIST
uses this advisory to create the CVE Web site report. This Web site will be
active sometime after publication of this advisory.
d. CVSS Calculator,
http://nvd.nist.gov/cvss.cfm?name=&vector=%28AV:N/AC:L/Au:N/C:C/I:C/A:C%29&version=2
Web site last visited January 18, 2013.
e. IGSS V9 Patch,
http://igss.schneider-electric.com/igss/igssupdates/v90/progupdatesv90.zip ,
last visited January 18, 2013
f. IGSS V10 Patch,
http://igss.schneider-electric.com/igss/igssupdates/v100/progupdatesv100.zip ,
last visited January 18, 2013
g. CSSP Recommended Practices,
http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html ,
Web site last accessed January 18, 2013.
h. Cyber Intrusion Mitigation Strategies,
http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf , Web site
last accessed January 18, 2013.
i. Recognizing and Avoiding Email Scams,
http://www.us-cert.gov/reading_room/emailscams_0905.pdf , Web site last
accessed January 18, 2013.
j. National Cyber Alert System Cyber Security Tip ST04-014 ,
http://www.us-cert.gov/cas/tips/ST04-014.html, Web site last accessed
January 18, 2013.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUP4koO4yVqjM2NGpAQIs4hAAvBLWYtdvbZjmruJQtt/udBNDe8aO7RC1
iQvptt471PweIH48PIoRnOvvBTTxxlSZgOsdgJtFy6h75Q219gxO9kt2C/lN/7sd
kmeZdwOs/9UMKD3W5zXXEzD51qWah0TAdgL63pKm90CvVwgZGc0GMN3jr/teyWrw
JlPg3B0WZw0Hc4daH3cgO5s2gwnSfGzRekiEUTfHO9vPPy0JW76mrPa4oHez1h84
zh/wkmZKKUvAvumjf4qofr1jQw8xNSukPfa1auweEAMXvchCMRDp/IlRu25X/N8V
ODdb0Zr4MtP18d7jqZ3HcoHJq0aWeZ7WkRw9tv5nzBk58qYYKPDlHnFj8wmyTyjx
btKSN7SYEapmSepHn1Ixsv/G904W6SYawYDiQ5FtKpxCq8Nln927BPhDozPpejOt
dE3U3ggW14iU4VFr3nTJJrJharf07ydugcVKQKDFdHL73hueXL/KOOg6L1sJ/h3A
ZzOuT8Ax8gRXmxPlG8ch6akT6+clNCqDFrORTf78trQYTWEGGWz+hg5OqvTX2s1M
LsAXoZENcLUF2SwefGYZIC1xMY/ZNIsQ9cNMLl5SOr5kVZjZocrPVny2fVAtcWoP
fCH7UADcdgXTuYlO3/SS+9IbNeKZbmxJmzHq0YzWMe+ZHN44/sJrX6ZG79Hw27Yo
ggGY54FKDic=
=Dapd
-----END PGP SIGNATURE-----