Schneider Electric informed customers recently that several vulnerabilities have been found in its IGSS automation product, including in the SCADA software and mobile applications.
Ivan Sanchez of Nullcode discovered that the IGSS SCADA software is affected by a configuration issue that leads to Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) mitigations not being implemented properly.
The flaw, tracked as CVE-2017-9967 and classified as high severity, affects version 12 and earlier of the IGSS SCADA software. The issue has been addressed with the release of version 13.
One of the flaws, CVE-2017-9968, is related to the lack of certificate pinning when the apps establish a TLS/SSL connection, which makes it easier to launch man-in-the-middle (MitM) attacks.
The second weakness, CVE-2017-9969, allows an attacker to obtain app passwords and other potentially sensitive data from a configuration file, where the information is stored in clear text.
The security holes affect IGSS Mobile for Android and iOS versions 3.0 and prior, and they have been patched by Schneider with the release of version 3.1.1.
The IGSS Mobile vulnerabilities were discovered by researchers at IOActive and Embedi as part of a project that targeted SCADA mobile apps from 34 vendors.
In a report published last month, the companies revealed that flaws had been identified in a vast majority of the tested SCADA applications, including issues that can be exploited to influence industrial processes.
The project focused on Android applications, but Schneider Electric apparently determined that the iOS version of its IGSS app was also impacted by the vulnerabilities discovered by IOActive and Embedi researchers.
Schneider Electric also informed customers last week of a high severity remote code execution vulnerability affecting its StruxureOn Gateway product.
“Uploading a zip which contains carefully crafted metadata allows for the file to be uploaded to any directory on the host machine information which could lead to remote code execution,” the vendor said in its advisory.
The flaw, tracked as CVE-2017-9970, affects StruxureOn Gateway 1.0.0 through 1.1.3 and it has been patched with the release of version 1.2.
Schneider Electric admitted recently that the Triton/Trisis malware, whose existence was brought to light in mid-December, exploited a zero-day vulnerability in the company’s Triconex Safety Instrumented System (SIS) controllers.