Critical vulnerability found in infrastructure and manufacturing applications
A critical remote code execution vulnerability has been discovered in two Schneider Electric applications heavily used in manufacturing, oil and gas, water, automation and wind and solar power facilities.
The vulnerability, discovered by cyber exposure company Tenable, could, if exploited, give cyber criminals complete control of the underlying system.
Attackers would also be able to use the compromised system to move laterally through the network, exposing additional systems to attack. In a worst case scenario, attackers could use the vulnerability to disrupt or cripple plant operations.
The vulnerability impacts InduSoft Web Studio, an automation tool used to develop human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and embedded instrumentation solutions that connect OT with the Internet or corporate intranets, and InTouch Machine Edition, a scalable HMI client. This software is commonly used across several heavy industries, including manufacturing, oil and gas, and automotive. With the growing adoption of distributed and remote monitoring in industrial environments, OT and IT are converging. As OT becomes increasingly connected and crosses boundaries, these safety-critical systems are increasingly vulnerable to cyber attacks.
"Digital transformation has made its way to critical infrastructure, connecting once-isolated systems to the outside world," says Dave Cole, chief product officer at Tenable. "This Schneider Electric vulnerability is particularly concerning because of the potential access it grants cybercriminals looking to do serious damage to mission-critical systems that quite literally power our communities. Tenable Research is focused on assessing, analyzing and reducing the industry’s overall Cyber Exposure across the modern computing environment -- be it cloud, IT, IoT or OT. Solving this growing problem requires us to come together as an industry and we commend Schneider Electric at the speed they released a patch to remediate this critical issue."
A remote attacker without credentials can use the vulnerability to execute arbitrary code on vulnerable systems, potentially leading to full compromise of the InduSoft Web Studio or InTouch Machine Edition server machine. A threat actor can use the compromised machine to laterally move within the victim's network and execute further attacks.
Tenable Research has worked with the vendor to responsibly disclose the vulnerability and Schneider Electric has released patches for both affected systems.