Schneider Electric developers fixed three vulnerabilities in the ProClima program, designed for projecting climate systems in cabinets with electrical equipment.
The exploitation of bugs could lead to a spoofing of the DLL, execution of unauthorized operations within the allocated memory, and the launch of third-party scripts within the target machine. Patches are included in the latest version of the application 8.0.0.The most serious vulnerability was received by the identifier CVE-2019-6824 and was estimated by experts at 9.8 points on the CVSS scale.
“A critical flaw explains by a buffer error and allows an attacker performing operations not provided for by the developers within the allocated memory range. The result of such actions may be the launch of third-party code without authentication on the device”, – write developers of Schneider Electric.
Read also: Fake TOR browser steals cryptocurrency from shoppers on the darknet
The CVE-2019-6823 error, which received 8.8 CVSS points, has a lower threat rating. The problem of incorrect control of code generation in all versions of ProClima up to 8.0.0 can lead to the execution of a third-party script on the target device. An unauthorized remote attacker could launch an operation.
The third bug is related to the incorrect implementation of the procedure for finding the necessary objects during the installation of the system. The error allows the attacker to replace the DLL from the legitimate application bundle with a malicious file of the same name. Exploitation of the vulnerability may lead to the execution of third-party code, but requires the participation of the user of the program. Experts assigned to the deficiency identifier CVE-2019-6825 and rated it at 7.8 points on the CVSS scale.
Schneider Electric representatives thanked independent information security specialist Haojun Hou, as well as experts from Fortinet, NSFOCUS, and Telus for helping to identify vulnerabilities.
Last year, Schneider Electric developers had to deal with an error in the Modicon M221 family of programmable controllers. The vulnerability allowed remote editing of IPv4 protocol settings in the device settings. The attack could lead to a change in its network identifier and further interception of traffic.
Schneider Electric recommends the following best cybersecurity practices for industry:
- Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
- Physical controls should be in place so no unauthorized person has access to the ICS and safety controllers, peripheral equipment, or the ICS and safety networks.
- All controllers should reside in locked cabinets and never be left in “Program” mode.
- All programming software should be kept in locked cabinets and should never be connected to any network other than the network for devices intended.
- All methods of mobile data exchange with the isolated network, such as CDs, USB drives, etc., should be scanned before use in the terminals or any node connected to these networks.
- Laptops that have connected to any other network besides the intended network should never be allowed to connect to the safety or control networks without proper sanitation.
- Minimize network exposure for all control system devices and/or systems and ensure they are not accessible from the Internet.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
