9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.041 Low
EPSS
Percentile
92.2%
ICS-CERT originally released Advisory ICSA-11-307-01P on the US-CERT secure Portal on November 03, 2011. This web page release was delayed to allow users time to download and install the update.
Researcher Kuang-Chun Hung of Security Research and Service Institute–Information and Communication Security Technology Center (ICST) has identified four vulnerabilities in the Schneider Electric Vijeo Historian product line. These vulnerabilities include a denial of service (DoS), buffer overflow, a cross-site scripting (XSS), and a directory traversal.
ICS-CERT has coordinated this report with Schneider Electric and ICST. Schneider has produced a fix that resolves these vulnerabilities. ICST has tested this fix and validated that it fully resolves these vulnerabilities.
According to Schneider Electric the following products are affected:
Successful exploitation of these vulnerabilities could result in DoS, data leakage, or remote code execution.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Schneider Electric is a manufacturer and integrator of energy management equipment and software. According to Schneider Electric, its products are used worldwide. The Vijeo Historian, CitectHistorian, and CitectSCADA report products are data historian products. According to Schneider Electric, these products are used in energy, industry, and building automation.
A buffer overflow vulnerability exists in the third-party TeeChart ActiveX control that could allow a remote attacker using social engineering to cause a DoS.
CVE-2011-4033 has been assigned to this vulnerability in the National Vulnerability Database (NVD).
A buffer overflow vulnerability exists in the third-party TeeChart ActiveX control that could allow a remote attacker using social engineering to cause a denial of service and/or execute arbitrary code.
CVE-2011-4034 has been assigned to this vulnerability in the NVD.
A XSS vulnerability exists that could allow remote attackers using social engineering to inject arbitrary web script or HTML via an HTTP request.
CVE-2011-4035 has been assigned to this vulnerability in the NVD.
A directory traversal vulnerability exists in the web portal allowing remote attackers to read arbitrary filesin an HTTP request.
CVE-2011-4036 has been assigned to this vulnerability in the NVD.
Three of these four vulnerabilities are remotely exploitable if used with social engineering. The directory traversal vulnerability can be exploited without social engineering.
No publicly available exploits specifically targeting these vulnerabilities are known to exist.
An attacker with a low to moderate skill level could potentially exploit these vulnerabilities.
Schneider Electric has created a patch and has issued a customer notification describing the vulnerabilities.http://www.scada.schneider-electric.com/sites/scada/en/login/historian-vulnerability.page, website last accessed November 28, 2011. Schneider Electric recommends that all customers using the above mentioned software packages download and apply the patch located at http://www.citect.com/index.php?option=com_content&view=article&id=1656&Itemid=1695.
In addition to applying the patch developed by Schneider Electric, ICS-CERT encourages asset owners to take additional defensive measures against this and other cybersecurity threats by:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the CSSP web page. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4033
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4034
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4035
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4036
www.citect.com/index.php?option=com_content&view=article&id=1656&Itemid=1695
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Schneider%20Electric%20Vijeo%20Historian%20Web%20Server%20Multiple%20Vulnerabilities+https://www.cisa.gov/news-events/ics-advisories/icsa-11-307-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-11-307-01&title=Schneider%20Electric%20Vijeo%20Historian%20Web%20Server%20Multiple%20Vulnerabilities
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-11-307-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-11-307-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Schneider%20Electric%20Vijeo%20Historian%20Web%20Server%20Multiple%20Vulnerabilities&body=www.cisa.gov/news-events/ics-advisories/icsa-11-307-01