Updates released by Schneider Electric for its VAMPSET and SoMachine HVAC products patch several medium and high severity vulnerabilities that can be exploited for denial-of-service (DoS) attacks and arbitrary code execution.
Advisories describing the flaws were published recently by both ICS-CERT and Schneider Electric.
One of the advisories focuses on a medium severity memory corruption vulnerability affecting VAMPSET, a piece of software used to configure and maintain protection relays and arc flash protection units. The bug, tracked as CVE-2017-7967, can be triggered using a specially crafted settings file (.vf2).
“This vulnerability causes the software to halt or not start when trying to open the corrupted file,” Schneider wrote in its advisory. “As Windows operating system remains operational and VAMPSET responds, it is able to be shut down through its normal closing protocol.”
According to Fortinet’s Kushal Arvind Shah, the researcher who reported the flaw to the vendor, an attacker may also be able to exploit the weakness for arbitrary code execution.
The flaw has been addressed with the release of VAMPSET 2.2.189. All previous versions are affected.
Separate advisories describe two high severity vulnerabilities found by independent researchers in Schneider’s SoMachine HVAC product, a programming software for Modicon logic controllers. Both security holes have been patched with the release of SoMachine HVAC 2.2.
One of the flaws, CVE-2017-7966, has been described as a DLL hijacking issue that can be exploited by a remote, unauthenticated attacker to execute arbitrary code by planting a malicious library that would get executed instead of the legitimate file.
The second vulnerability, classified as a stack-based buffer overflow and tracked as CVE-2017-7966, is related to a component named AlTracePrint.exe. Schneider and ICS-CERT have not shared any details, but mentioned that the component can be called in a way that leads to a buffer overflow and a crash.
Last month, researchers from Germany-based OpenSource Security disclosed a couple of critical vulnerabilities in Schneider’s Modicon and SoMachine products before the vendor released patches.
The experts reported the flaws to the company in December and decided to make their findings public after not receiving any feedback. Schneider admitted making a mistake and promised to release fixes in mid-June.
Related Reading: Schneider Electric Patches Flaws in Modicon, Wonderware Products
Related Reading: High Severity Flaws Patched by Siemens, Schneider Electric
Related Reading: Schneider Electric Patches Flaws in ClearSCADA, Wonderware Products