10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.0%
**ATTENTION:**Remotely exploitable/low skill level to exploit
Vendor: Schneider Electric
Equipment: homeLYnk Controller, LSS100100
Vulnerability: Cross-site Scripting, Command Injection
This updated advisory is a follow-up to the original advisory titled ICSA-17-019-01 Schneider Electric homeLYnk Controller that was published January 19, 2017, on the NCCIC/ICS-CERT web site.
Schneider Electric reports that the vulnerability affects the following products:
An attacker may be able to exploit this vulnerability to cause execution of java script code.
--------- Begin Update A Part 1 of 2 --------
Schneider Electric has made firmware that fixes these vulnerabilities available for download at:
<http://www.schneider-electric.com/en/download/document/FW1_5_1-hL/>
For more information on these vulnerabilities and more detailed mitigation instructions, please see Schneider Electric security notification SEVD-2017-011-01 at the following location:
<http://www.schneider-electric.com/ww/en/download/document/SEVD-2017-011-01>,
and security notification SEVD-2017-052-02 at the following location:
<http://www.schneider-electric.com/ww/en/download/document/SEVD-2017-052-02>
--------- End Update A Part 1 of 2 ----------
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
The homeLYnk controller is susceptible to a cross-site scripting attack. User inputs can be manipulated to cause execution of java script code.
CVE-2017-5157 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
--------- Begin Update A Part 2 of 2 --------
The homeLYnk controller has network features that can be manipulated via specially crafted POST requests. This vulnerability requires user interaction to be exploited.
CVE-2017-7689 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
--------- End Update A Part 2 of 2 ----------
Mohammed Shameem reported this issue to Schneider Electric.
Critical Infrastructure Sector: Commercial Facilities
Countries/Areas Deployed: United States
Company Headquarters Location: France
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5157
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7689
www.schneider-electric.com/en/download/document/FW1_5_1-hL/
www.schneider-electric.com/ww/en/download/document/SEVD-2017-011-01
www.schneider-electric.com/ww/en/download/document/SEVD-2017-052-02
cwe.mitre.org/data/definitions/77.html
cwe.mitre.org/data/definitions/79.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Schneider%20Electric%20homeLYnk%20Controller%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-17-019-01a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-17-019-01a&title=Schneider%20Electric%20homeLYnk%20Controller%20%28Update%20A%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-17-019-01a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-17-019-01a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Schneider%20Electric%20homeLYnk%20Controller%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-17-019-01a
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.0%