Schneider Electric Authenticated Communication Risk Vulnerability
ICSA： ICS Advisory (ICSA-13-016-01)
ICS-CERT received a report from Schneider Electric concerning an Authenticated Communication Risk vulnerability in the Schneider Electric Software Update (SESU) utility. This vulnerability was reported to Schneider Electric by security researcher Arthur Gervais.
The SESU is a centralized update mechanism for updating Schneider Electric software on Windows PC. Schneider Electric has updated the SESU client as of January 2013, which adds the use of HTTPS to resolve this vulnerability.
This vulnerability could be exploited remotely.
According to Schneider Electric, the following products and versions are affected by use of the SESU mechanism:
- Unity Pro, V5.0 L, M, S, XL,
- Unity Pro, V6.0 L, M, S, XL,
- Unity Pro, V6.1 L, M, S, XL,
- Unity Pro, V0 L, M, S, XL, XLS,
- Vijeo Designer V6.0.x, V6.1.0.x, V5.0.0.x, V5.1.0.x,
- Vijeo Designer Opti V6.0.x, V5.1.0.x, V5.0.0.x,
- Web Gate Client Files V5.1.x,
- IDS V1.0, V2.0,
- PowerSuite 2.5,
- Smart Widget Acti 9 V184.108.40.206,
- Smart Widget H8035 V220.127.116.11,
- Smart Widget H8036 V18.104.22.168,
- Smart Widget PM201 V22.214.171.124,
- Smart Widget PM710 V126.96.36.199,
- Smart Widget PM750 V188.8.131.52,
- SoMachine V1.2.1,
- Spacail.pro V1.0.0.x, and
- SESU V1.0.x, V1.1.x
Successfully exploiting this vulnerability could result in arbitrary code execution.
Impact to individual organizations depends on many factors that are unique to each organization.
ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Schneider Electric is a manufacturer and integrator of energy management equipment and software. According to Schneider Electric, their products are used in energy, industry, and building automation worldwide.
Authenticated Communications Riska
Schneider Electric software on the customer PC uses the SESU service as the mechanism of communication with the Schneider Electric central update server in order to receive periodic software updates. The SESU client on the customer PC does not check the authenticity of the origin. By redirecting messages to Port 80/TCP on an unauthorized source, an attacker could execute arbitrary code on a vulnerable system that could result in loss of availability, integrity, and confidentiality.
CVE-2013-0655b NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0655, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 9.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:C/I:C/A:C).
This vulnerability could be exploited remotely.
EXISTENCE OF EXPLOIT
No known public exploits exist that target this vulnerability.
An attacker with a medium skill level would be able to exploit this vulnerability.
Schneider Electric has produced a customer notificationc that contains mitigations to resolve this vulnerability. According to Schneider Electric, in order to resolve the vulnerability with the software server, Schneider Electric has taken the following actions:
- The SESU server has been updated to the latest version. Currently, both HTTP and HTTPS are supported in parallel. HTTPS does ensure signed communication.
- The new SESU client has been updated as of January 2013 to use HTTPS instead of HTTP. The new version of the SESU Client will be made available to customers for distribution via the SESU mechanism in January 2013.
- Customers can also use an updated software product CD that will contain the updated SESU client, when the CD becomes available. Contact your local support desk for details.
- While both HTTP and HTTPS SESU client functionality is supported currently, several months after starting to update the SESU clients (May 2013) the HTTP port of the SESU server will be disabled. This means that only HTTPS will be supported during SESU client updates from that time forward, which mitigates this current vulnerability.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
- Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
ICS-CERT also provides a section for control systems security recommended practices on the US-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01A—Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
- a. CWE-287: Improper Authentication, http://cwe.mitre.org/data/definitions/287.html, CWE-287, Improper Authentication, Web site last accessed January 16, 2013.
- b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0655, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.
- c. Schneider Electric Customer Notification, http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2013/01/20130109_advisory_of_vulnerability_affecting_schneider_electric_s_software_upda.xml, Web site last accessed January 16, 2012.