Schneider Electric Fixes Potential RCE Flaw in Several Products

29.01.2015

Автор: Eduard Kovacs

Several solutions from Schneider Electric are plagued by a serious vulnerability that could be exploited for remote code execution (RCE).

Researcher Ariele Caltabiano identified a stack-based buffer overflow vulnerability in Schneider Electric’s SoMove Lite, a setup software for motor control devices. The energy management company has determined that the security hole actually affects a Device Type Manager (DTM) development kit distributed with several DTM libraries. The culprit is a DLL file installed via the DTM setup, Schneider Electric said.

According to security advisories published by ICS-CERT and Schneider Electric, the DLL is found in the Modbus Communication Library version 2.2.6 and earlier, the CANopen Communication Library version 1.0.2 and earlier, the EtherNet/IP Communication Library version 1.0.0 and earlier, EM X80 Gateway DTM (MB TCP/SL), Advantys DTMs (OTB, STB), KINOS DTM, SOLO DTM, and Xantrex DTMs.

The DTMs containing the vulnerable DLL are used in SoMove, SoMove Lite, Unity Pro and SoMachine. Unity Pro is a development software used to test, debug and manage applications, while SoMachine is a software environment for automation machinery.

“Successfully exploiting this vulnerability could allow a remote attacker to execute arbitrary code,” ICS- CERT said in itsadvisory.

The flaw has been assigned the CVE identifier CVE-2014-9200 and a CVSS base score of 7.5.

The vulnerability is not difficult to exploit, but fortunately there are no known exploits for it and Schneider Electric has developed a patch that substitutes the affected DLL.

This is the second security advisory published by Schneider Electric this year. Earlier this month, the company announced the availability of a firmware update that fixes a couple of critical bugs in ETG3000 FactoryCast HMI Gateway, a Web-based SCADA system.

DTM component vulnerabilities can be highly problematic. Alexander Bolshev and Gleb Cherbov, researchers at Russia-based Digital Security, have identified 32 vulnerable DTM components from a total of 24 vendors.

One of the flawed components is the CodeWrights HART DTM library, which is used in products developed by ABB, Berthold Technologies, Emerson, Endress+Hauser, Magnetrol, and Pepperl+Fuchs. CodeWrights has addressed the vulnerability and some of the affected companies have already started integrating the new version of the library in their solutions.