Critical Security Flaw in Schneider Electric ICS Software

Researchers at security firm Tenable discovered a stack-based buffer overflow vulnerability in a popular industrial control system software that could potentially be exploited to shut down power plants and other critical infrastructure facilities. Receiving a severity score of 9.8 out of 10, the vulnerability affects Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition 2017 products, both designed to automate components of a power plant or manufacturing unit. Successful exploitation of this vulnerability could allow a remote, unauthenticated threat actor to execute code with elevated privileges and take control of the affected system. Schneider Electric has released an update to patch the critical vulnerability. The NJCCIC recommends all users and administrators of InduSoft Web Studio and InTouch Machine Edition 2017 versions 8.1 and prior review the Schneider Electric Security Bulletin for more information and apply the necessary update as soon as possible. For more information on cyber risk to critical infrastructure, please read the NJCCIC Threat Analysis Addressing Vulnerabilities in Critical Infrastructure.