CybersecurityCritical industrial software flaws left U.S. infrastructure vulnerable to hackers

Tenable Research, a Maryland-based cybersecurity firm, has discovered vulnerabilities in two applications widely used by manufacturers and power plant operators. These vulnerabilitiers may have given hackers a foothold in U.S. critical infrastructureg.

Tenable Research says it has recently discovered a new remote code execution vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition. The applications contain an overflow condition that is triggered when input is not properly validated. This allows an attacker to force a stack-based buffer overflow, resulting in denial of service or potentially allowing the execution of arbitrary code.

Background
InduSoft Web Studio is a suite of tools that provides automation building blocks to develop human-machine interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems and embedded instrumentation solutions.

InTouch Machine Edition is an HMI/SCADA software toolset to develop applications to connect automation systems such as Programmable Logic Controllers (PLCs) and to develop interfaces for web browsers, smartphones and tablets.

SCADA systems, comprising industrial-grade hardware and software, are a standard component of Industrial Control Systems (ICSs). They have traditionally been deployed around the world to monitor industrial infrastructure to collect, analyze and control information from sensors. With the growing adoption of distributed and remote monitoring in industrial environments, SCADA and operational technology (OT) are converging to provide true “beyond the perimeter” connectivity.

Diverse industries including agriculture, transportation, energy, nuclear power, manufacturing, entertainment and physical security use SCADA in conjunction with OT. Because of the critical and wide range of applications in modern infrastructure, SCADA systems have become a primary security concern and are increasingly being targeted by threat actors.

Business impact
Tenable Research says that an unauthenticated remote attacker can leverage this attack to execute arbitrary code on vulnerable systems, potentially leading to full compromise of the InduSoft Web Studio or InTouch Machine Edition server machine. A threat actor can use the compromised machine to laterally transfer within the victims network and to execute further attacks. Additionally, connected HMI clients and OT devices can be exposed to attack.

Given the widespread prevalence and market share of the affected software in the OT space, and the fact that it is frequently deployed in sensitive industries, Schneider and Tenable consider this a critical vulnerability requiring urgent attention and response from affected end users.

Solution
Schneider Electric has released InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 to address this vulnerability. Update the application by applying the appropriate patches.

· If you’re using InduSoft Web Studio v8.1 or prior versions, you should upgrade and apply InduSoft Web Studio v8.1 SP1 as soon as possible.

· If you’re using InTouch Machine Edition 2017 v8.1 or prior versions, you should upgrade and apply InTouch Machine Edition 2017 v8.1 SP1 as soon as possible.