A remote code execution vulnerability found in two Schneider Electric applications, InduSoft Web Studio and InTouch Machine Edition, has been revealed by cyber security vendor Tenable.
These applications are used by industries such as in manufacturing, oil and gas, water, automation, wind and solar power facilities in the United States.
According to Tenable's researchers, cyber criminals exploiting the vulnerabilities could gain complete control of the underlying system.
If compromised, the system could allow cyber criminals to move laterally through the network, exposing additional systems to attack, including human-machine interface (HMI) clients. The worst case scenario would see attackers able use the vulnerability to disrupt or even cripple plant operations.
"Digital transformation has made its way to critical infrastructure, connecting once-isolated systems to the outside world,” Tenable chief product officer Dave Cole said. “This Schneider Electric vulnerability is particularly concerning because of the potential access it grants cyber criminals looking to do serious damage to systems that quite literally power our communities.
"Tenable Research is focused on assessing, analysing and reducing the industry’s overall cyber exposure across the modern computing environment — be it cloud, IT, IoT or OT [operational technology]. Solving this growing problem requires us to come together as an industry and we commend Schneider Electric at the speed they released a patch to remediate this critical issue."
Patches for the automation tool InduSoft Web Studio and scalable HMI client InTouch Machine Edition have been released.
Customers using InduSoft Web Studio v8.1 or prior versions are affected and should upgrade and apply InduSoft Web Studio v8.1 SP1 as soon as possible.
Customers using InTouch Machine Edition 2017 v8.1 or prior versions are affected and should upgrade and apply InTouch Machine Edition 2017 v8.1 SP1 as soon as possible.