Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Schneider Electric Patches Several Flaws in IGSS Products

Schneider Electric informed customers recently that several vulnerabilities have been found in its IGSS automation product, including in the SCADA software and mobile applications.

Schneider Electric informed customers recently that several vulnerabilities have been found in its IGSS automation product, including in the SCADA software and mobile applications.

Ivan Sanchez of Nullcode discovered that the IGSS SCADA software is affected by a configuration issue that leads to Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) mitigations not being implemented properly.

The flaw, tracked as CVE-2017-9967 and classified as high severity, affects version 12 and earlier of the IGSS SCADA software. The issue has been addressed with the release of version 13.

Another advisory published recently by Schneider Electric describes two medium severity vulnerabilities discovered by researchers in the IGSS Mobile applications for Android and iOS.

One of the flaws, CVE-2017-9968, is related to the lack of certificate pinning when the apps establish a TLS/SSL connection, which makes it easier to launch man-in-the-middle (MitM) attacks.

The second weakness, CVE-2017-9969, allows an attacker to obtain app passwords and other potentially sensitive data from a configuration file, where the information is stored in clear text.

Learn More at SecurityWeek’s ICS Cyber Security Conference

The security holes affect IGSS Mobile for Android and iOS versions 3.0 and prior, and they have been patched by Schneider with the release of version 3.1.1.

The IGSS Mobile vulnerabilities were discovered by researchers at IOActive and Embedi as part of a project that targeted SCADA mobile apps from 34 vendors.

In a report published last month, the companies revealed that flaws had been identified in a vast majority of the tested SCADA applications, including issues that can be exploited to influence industrial processes.

The project focused on Android applications, but Schneider Electric apparently determined that the iOS version of its IGSS app was also impacted by the vulnerabilities discovered by IOActive and Embedi researchers.

Schneider Electric also informed customers last week of a high severity remote code execution vulnerability affecting its StruxureOn Gateway product.

“Uploading a zip which contains carefully crafted metadata allows for the file to be uploaded to any directory on the host machine information which could lead to remote code execution,” the vendor said in its advisory.

The flaw, tracked as CVE-2017-9970, affects StruxureOn Gateway 1.0.0 through 1.1.3 and it has been patched with the release of version 1.2.

Schneider Electric admitted recently that the Triton/Trisis malware, whose existence was brought to light in mid-December, exploited a zero-day vulnerability in the company’s Triconex Safety Instrumented System (SIS) controllers.

Related: Schneider Electric Patches Critical Flaw in HMI Products

Related: Schneider Electric Patches Flaws in Pelco Video Management System

Related: Unpatched Flaws in Schneider Electric U.motion Builder Disclosed

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.