Default Credentials Found in Schneider Electric Wonderware Historian

The Industrial Control System Cyber Emergency Response Team (ICS-CERT) on Tuesday published an advisory warning of a critical vulnerability in Schneider Electric Wonderware Historian, a platform used to capture, store and manage big data.

The vulnerability, CVE-2017-5155, can be exploited to target Historian databases, ICS-CERT said.

“Wonderware Historian creates logins with default passwords, which can allow a malicious entity to compromise Historian databases,” ICS-CERT said in its advisory. “In some installation scenarios, resources beyond those created by Wonderware Historian may be compromised as well.”

The flaw, which was privately disclosed by Ruslan Habalov and Jan Bee of the Google ISA Assessments Team, affects Wonderware Historian 2014 R2 SP1 P01 and earlier versions.

“Successful exploitation of this vulnerability could allow a malicious entity to compromise Historian databases,” ICS-CERT warned. “In some installation scenarios, SQL resources beyond those created by Wonderware Historian may be compromised as well.”

A request for comment from Schneider Electric was not returned in time for publication.

Schneider Electric and ICS-CERT provided some mitigation advice that includes checking the Wonderware Historian Client, InTouch and Application Object scripts, Information Server configuration and any custom applications that interact with Historian data that may include default logins.

Logins that are not used should be disabled from the SQL Server Management Studio, and for those in use, passwords should be changed from the supplied default credentials, ICS-CERT said in its advisory.

“For an increased level of security, Schneider Electric and Microsoft further advise that connectivity to SQL Server be accomplished with Windows Integrated Security as opposed to using native SQL logins,” ICS-CERT said.