Schneider Electric UnitelWay Buffer Overflow

Low RiskICS-CERT ICSA-11-277-01Jul 7, 2011

Summary

Buffer overflow vulnerability in Schneider Electric UnitelWay protocol implementation affecting multiple engineering and HMI software applications on Windows XP platforms. The vulnerability allows arbitrary code execution through specially crafted UnitelWay messages.

What this means

What could happen

An attacker who sends malicious UnitelWay protocol messages could execute arbitrary code on engineering workstations or HMI systems, potentially allowing them to modify or control industrial processes and data.

Who's at risk

Energy utilities and industrial facilities using Schneider Electric automation software, particularly those with legacy Windows XP engineering workstations running Unity Pro, OPC Factory Server, Vijeo Citect, Telemecanique Driver Pack, Monitor Pro, or PL7 Pro that communicate via UnitelWay protocol.

How it could be exploited

An attacker must send a specially crafted UnitelWay protocol message to a vulnerable application (Unity Pro, OPC Factory Server, Vijeo Citect, Telemecanique Driver Pack, Monitor Pro, or PL7 Pro). If the application accepts the message without proper bounds checking, the buffer overflow could be triggered to execute arbitrary code on the Windows XP system.

Prerequisites

Windows XP system running one of the affected Schneider Electric applications
Network access or local access to send UnitelWay protocol messages to the vulnerable application
Application must be running and accepting UnitelWay connections

no patch availableaffects engineering and HMI workstationsbuffer overflow vulnerability (CWE-119)

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (6)

6 EOL

ProductAffected VersionsFix Status

Unity Pro Windows XP: <=6≤ 6No fix (EOL)

OPC Factory Server Windows XP: 3.343.34No fix (EOL)

Vijeo Citect Windows XP: <=7.20≤ 7.20No fix (EOL)

Telemecanique Driver Pack Windows XP: <=2.6≤ 2.6No fix (EOL)

Monitor Pro Windows XP: <=7.6≤ 7.6No fix (EOL)

PL7 Pro Windows XP: <=4.5≤ 4.5No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation to restrict UnitelWay protocol traffic to trusted engineering networks only

WORKAROUNDDisable or restrict access to UnitelWay protocol if not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic for suspicious UnitelWay messages destined to affected applications

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Unity Pro Windows XP: <=6, OPC Factory Server Windows XP: 3.34, Vijeo Citect Windows XP: <=7.20, Telemecanique Driver Pack Windows XP: <=2.6, Monitor Pro Windows XP: <=7.6, PL7 Pro Windows XP: <=4.5. Apply the following compensating controls:

HARDENINGUpgrade from Windows XP to a supported operating system (Windows 7, 10, or later) and migrate to current versions of Schneider Electric software

CVEs (1)

CVE-2011-3330

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e1ff5a1c-f780-42fd-83f7-155385ffdb29