ATTENTION: Remotely exploitable/low skill level to exploit
Vendor: Schneider Electric
Equipment: homeLYnk Controller, LSS100100
Vulnerability: Cross-site Scripting, Command Injection
This updated advisory is a follow-up to the original advisory titled ICSA-17-019-01 Schneider Electric homeLYnk Controller that was published January 19, 2017, on the NCCIC/ICS-CERT web site.
Schneider Electric reports that the vulnerability affects the following products:
An attacker may be able to exploit this vulnerability to cause execution of java script code.
--------- Begin Update A Part 1 of 2 --------
Schneider Electric has made firmware that fixes these vulnerabilities available for download at:
For more information on these vulnerabilities and more detailed mitigation instructions, please see Schneider Electric security notification SEVD-2017-011-01 at the following location:
and security notification SEVD-2017-052-02 at the following location:
--------- End Update A Part 1 of 2 ----------
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
The homeLYnk controller is susceptible to a cross-site scripting attack. User inputs can be manipulated to cause execution of java script code.
--------- Begin Update A Part 2 of 2 --------
The homeLYnk controller has network features that can be manipulated via specially crafted POST requests. This vulnerability requires user interaction to be exploited.
--------- End Update A Part 2 of 2 ----------
Mohammed Shameem reported this issue to Schneider Electric.
Critical Infrastructure Sector: Commercial Facilities
Countries/Areas Deployed: United States
Company Headquarters Location: France