VIJEO CITECT V7.40 SOFTWARE
Schneider Electric recommends all customers using the affected software packages listed above download and apply the relevant patch.
VIJEO CITECT V7.40 PATCH
Schneider Electric has developed a cumulative patch that addresses the above security issue as well as a separate quality issue.
VIJEO CITECT V7.40 UPDATE
They have removed the quality fix from the release and have issued a new patch containing only the security update for this vulnerability. Schneider Electric has determined that the problem is within the quality portion of the fix.
Some customers may have experienced a crash after applying the “security & quality fix” released on December 16, 2013. DIFFICULTYĪn attacker with a low skill would be able to exploit this vulnerability. No known public exploits specifically target this vulnerability. This vulnerability could be exploited remotely. A CVSS v2 base score of 7.8 has been assigned the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C). To exploit this vulnerability an attacker must send a specially crafted packet to any of the server processes.
The vulnerability could cause a denial of service on the server of the affected products. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW The affected Schneider Electric systems are found primarily in energy, manufacturing, and infrastructure applications worldwide. The affected products are web-based SCADA systems. Schneider Electric is a manufacturer and integrator of energy management and industrial automation systems, equipment, and software. Schneider Electric is a France-based multinational corporation. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. Impact to individual organizations depends on many factors that are unique to each organization. The software would need to be restarted to recover from a successful denial-of-service attack. StruxureWare PowerSCADA Expert v7.30 to v7.30SR1, andĪn attacker can cause a denial of service in this product by exploiting this vulnerability.StruxureWare SCADA Expert Vijeo Citect v7.40,.The following Schneider Electric versions are affected: Eiram has tested the patch to validate that it resolves all the above vulnerabilities in CitectSCADA. While investigating this vulnerability report, Schneider Electric discovered additional related vulnerabilities and has produced a patch that mitigates them in SCADA Expert Vijeo Citect, CitectSCADA, and PowerSCADA Expert. Eiram had already been fixed in CitectSCADA v7.20SP2. The original vulnerability reported by Mr. Researcher Carsten Eiram of Risk Based Security has identified an exception handling vulnerability in Schneider Electric’s CitectSCADA application. Schneider Electric requested the title change to reduce confusion. This advisory was originally posted to the US-CERT secure Portal library on December 16, 2013.
This updated advisory is a follow-up to the original advisory titled ICSA-13-350-01 Schneider Electric SCADA Products Exception Handler Vulnerability that was published February 25, 2014, on the NCCIC/ICS-CERT web site.
0 kommentar(er)
