Date |
Type |
Platform |
Author |
EDB-ID |
CVE-ID |
OSVDB-ID |
Download |
App |
SIS Signature |
2017-11-09 | Other | Schneider Electric | Aaron Portnoy, formerly of Exodus Intelligence, reported the vulnerability to Schneider Electric.
| N/A | CVE-2017-1402 | N/A |  | N/A | N/A |
Source
#
# Schneider Electric InduSoft Web Studio and InTouch Machine Edition
#
### VULNERABLE VENDOR
Schneider Electric
### VULNERABLE PRODUCT
InduSoft Web Studio, InTouch Machine Edition
### RESEARCHER
Aaron Portnoy, formerly of Exodus Intelligence, reported the vulnerability to Schneider Electric.
### AFFECTED PRODUCTS
The following versions of InduSoft Web Studio and InTouch Machine Edition, an HMI, are affected:
InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions, and
InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions.
### IMPACT
Successful exploitation of this vulnerability could allow a remote un-authenticated attacker to remotely execute code with high privileges.
### VULNERABILITY OVERVIEW
STACK-BASED BUFFER OVERFLOW CWE-121
The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges.
CVE-2017-14024 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
### BACKGROUND
Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: France
### MITIGATION
Schneider Electric recommends:
Users using InduSoft Web Studio v8.0 SP2 Patch 1 or prior versions are affected and should upgrade and apply InduSoft Web Studio v8.1 as soon as possible.
Users using InTouch Machine Edition v8.0 SP2 Patch 1 or prior versions are affected and should upgrade and apply InTouch Machine Edition 2017 v8.1 as soon as possible.
Schneider Electric has also released Security Bulletin LFSEC00000124 that can be found at:
http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000124/