Schneider Electric Vijeo Historian Web Server Multiple Vulnerabilities

Act NowICS-CERT ICSA-11-307-01Aug 6, 2011

Schneider ElectricEnergy

Summary

Schneider Electric Vijeo Historian, CitectHistorian, and CitectSCADA Reports web servers contain three types of vulnerabilities: buffer overflow (CWE-119) that could allow remote code execution, cross-site scripting (CWE-79) that could inject malicious code into web pages viewed by operators, and path traversal (CWE-22) that could allow unauthorized access to files and configurations on the server. These vulnerabilities affect versions v4.30 and earlier of Vijeo Historian and CitectHistorian, and v4.10 and earlier of CitectSCADA Reports. No patches are currently available from the vendor.

What this means

What could happen

An attacker with network access to the web server could execute arbitrary code, inject malicious content into web pages, or access sensitive files and configurations. This could allow manipulation of historical data, disruption of reporting systems, or compromise of control system information.

Who's at risk

Energy utilities using Schneider Electric historian and reporting systems for storing and accessing SCADA data should be concerned. This affects Vijeo Historian, CitectHistorian, and CitectSCADA Reports servers that are used to archive sensor data and generate operational reports across electric generation, transmission, and distribution operations.

How it could be exploited

An attacker could send specially crafted HTTP requests to the web server on ports 80 or 443 to trigger buffer overflow (CWE-119), cross-site scripting (CWE-79), or path traversal (CWE-22) vulnerabilities. No authentication is required to exploit these web-facing attack vectors.

Prerequisites

Network access to the Vijeo Historian, CitectHistorian, or CitectSCADA Reports web server
No authentication required
Affected versions: Vijeo Historian v4.30 or earlier, CitectHistorian v4.30 or earlier, CitectSCADA Reports v4.10 or earlier

remotely exploitableno authentication requiredlow complexityno patch availablehigh EPSS score (55.8%)

Exploitability

Likely to be exploited — EPSS score 55.8%

Metasploit module available — weaponized exploitView module ↗

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Vijeo Historian: <=V4.30≤ V4.30No fix (EOL)

CitectHistorian: <=V4.30≤ V4.30No fix (EOL)

CitectSCADA Reports: <=V4.10≤ V4.10No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate the historian and reporting servers from direct internet access using network segmentation or firewalls. Allow access only from trusted engineering workstations and control networks.

WORKAROUNDRestrict web server access to port 80 and 443 using firewall rules to only authorized IP addresses and networks that need to access reports and historical data.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor web server logs for suspicious HTTP requests, unusual file access patterns, or requests containing shell metacharacters and path traversal sequences.

Long-term hardening

0/1

HOTFIXReview vendor security advisories and upgrade affected products when patches become available.

CVEs (4)

CVE-2011-4033 CVE-2011-4034 CVE-2011-4035 CVE-2011-4036

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1b0f6ac3-13e0-41b3-a13f-577b32b20eb6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.