Schneider Electric, one of the largest makers of hardware and software products used across critical industry verticals, has patched a vulnerability in two software products —InduSoft Web Studio and InTouch Machine Edition.
Both software suites are so-called "middleware," which is a term used to software that allows human operators to control equipment spread across one or more factories, field posts, and more.
The most likely places where you'll find such apps is usually on the internal networks of power plants, the oil & gas sector, manufacturing, pharmaceutics, large agricultural processing stations, and about in any factory with lots of automated systems, sensors, motors, and other SCADA (Supervisory Control And Data Acquisition) equipment.
Security researchers from Tenable discovered that these two applications are vulnerable to the same security flaw —a buffer overflow in a shared component.
The vulnerability could have allowed an attacker to crash or take over the two software products, and gain access to the underlying computers they are installed on, or the industrial sensors and motors these software control.
The good news is that under normal circumstances, these two applications are usually installed in air-gapped internal networks dedicated to controlling critical industrial control system (ICS) equipment only.
But Tenable researchers argue that if the computers running any of these two applications are to be left connected to the Internet, attacks could be mounted from remote locations across the web, by sending a malicious package over port 1234.
Nonetheless, scenarios where attackers gain a foothold on these closed networks and then search and attack the vulnerable software are more likely to happen, and researchers warn companies not to take their bug report lightly —which received a severity score of 9.8 out of a maximum of 10.
No authentication is needed to exploit this flaw, Tenable researchers said, urging companies to update to InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1.
InduSoft Web Studio is a suite of tools that provides automation building blocks to develop human-machine interfaces (HMIs), Supervisory Control And Data Acquisition (SCADA) systems and embedded instrumentation solutions.
InTouch Machine Edition is an HMI/SCADA software toolset to develop applications to connect automation systems such as Programmable Logic Controllers (PLCs) and to develop interfaces for web browsers, smartphones and tablets.