Five dangerous vulnerabilities were discovered in the Schneider Electric Floating License Manager and Schneider Electric Interactive Graphical SCADA System (IGSS) products.
The successful operation of these bugs can lead to a denial of service or the ability to execute arbitrary code, or bypassing the license for legal use of the product.Floating License Manager is part of many popular Schneider Electric products used in critical industries. Four vulnerabilities (CVE-2018-20031, CVE-2018-20032, CVE-2018-20033 and CVE-2018-20034) were found in the software (version 2.3.0.0 and earlier), providing the ability to disable the vendor daemon.
The manufacturer has already released a revised version of the application 2.3.1.0.
The degree vulnerabilities’ danger CVE-2018-20031, CVE-2018-20032 and CVE-2018-20034 is estimated at 7.5 points on the CVSS v3 scale, and CVE-2018-20033 – 9.8 points.
A vulnerability has been discovered in the IGSS dispatch control system (CVE-2019-6827) that can cause software crashes or code execution.
The bug can be exploited when the application processes a specially crafted project file. Vulnerability affects versions 14 and earlier.
Revised versions 13.0.0.19140 and 14.0.0.19120 are already available on the manufacturer’s website. The system is used for monitoring in a variety of industries, transport management systems, shipbuilding, building management systems.
MITIGATIONS:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.