Schneider Electric Authenticated Communication Risk Vulnerability

Low RiskICS-CERT ICSA-13-016-01Oct 20, 2013

Schneider ElectricEnergy

Summary

Schneider Electric engineering and runtime software products contain an authenticated communication risk in which the authentication mechanism may fail to properly validate communications between engineering workstations and control systems. The affected products include Unity Pro (all versions 5.0 through 6.1), Vijeo Designer (versions 5.0 through 6.1), SoMachine (v1.2.1), SESU (versions 1.0–1.1), IDS (versions 1.0–2.0), PowerSuite (v2.5), Web Gate Client Files (v5.1), and multiple Smart Widget components. An attacker with valid engineering credentials could exploit this flaw to bypass authentication checks and perform unauthorized actions on affected systems.

What this means

What could happen

An attacker with valid engineering credentials could bypass authentication checks in communications between engineering workstations and Schneider Electric control systems, potentially allowing unauthorized configuration changes or access to sensitive process data.

Who's at risk

Power generation and distribution utilities using Schneider Electric engineering and runtime software products are affected. This impacts organizations using Unity Pro for PLC programming, Vijeo Designer for HMI development, SoMachine for automation, SESU for supervisory control, IDS for control systems, and associated Smart Widget components (Acti 9, H8035, H8036, PM201, PM710, PM750) for power monitoring. Any organization relying on these Schneider Electric products for process automation or energy management should evaluate their exposure.

How it could be exploited

An attacker with valid engineering workstation credentials sends specially crafted authenticated commands to a Schneider Electric engineering tool or runtime system (Unity Pro, Vijeo Designer, SoMachine, etc.). The authentication mechanism fails to properly validate the communication, allowing the attacker to perform unauthorized actions such as modifying controller logic or accessing configuration data.

Prerequisites

Valid engineering workstation credentials
Network access to the affected Schneider Electric software or device
Affected Schneider Electric product installed (engineering station or runtime)

no patch availablevalid credentials required for exploitationaffects engineering/configuration access

Exploitability

Some exploitation risk — EPSS score 1.5%

Affected products (18)

18 EOL

ProductAffected VersionsFix Status

Unity Pro: V5.0_L_M_S_XLV5.0 L M S XLNo fix (EOL)

Unity Pro: V6.0_L_M_S_XLV6.0 L M S XLNo fix (EOL)

Vijeo Designer: 6.0.x|6.1.0.x|5.0.0.x|5.1.0.x6.0.x|6.1.0.x|5.0.0.x|5.1.0.xNo fix (EOL)

Web Gate Client Files: V5.1.xV5.1.xNo fix (EOL)

IDS: 1.0|2.01.0|2.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to engineering workstations running Unity Pro, Vijeo Designer, SoMachine, or other affected Schneider Electric tools to authorized engineering staff only

HARDENINGImplement firewall rules to limit communication between engineering stations and control systems to necessary ports and protocols only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for unauthorized access attempts to engineering stations and suspicious configuration changes in affected systems

HARDENINGReview and audit recent configuration changes to Unity Pro, Vijeo Designer, SoMachine, and other affected products for unauthorized modifications

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Unity Pro: V5.0_L_M_S_XL, Unity Pro: V6.0_L_M_S_XL, Vijeo Designer: 6.0.x|6.1.0.x|5.0.0.x|5.1.0.x, Web Gate Client Files: V5.1.x, IDS: 1.0|2.0, PowerSuite: 2.5, Smart Widget Acti 9: V1.0.0.0, Smart Widget H8035: V1.0.0.0, Smart Widget PM201: V1.0.0.0, Smart Widget PM710: V1.0.0.0, Smart Widget PM750: V1.0.0.0, SoMachine: V1.2.1, Spacail.pro: V1.0.0.x, SESU: 1.0.x|1.1.x, Unity Pro: V6.1_L_M_S_XL, Unity Pro: V0_L_M_S_XL_XLS, Vijeo Designer Opti: 6.0.x|5.1.0.x|5.0.0.x, Smart Widget H8036: V1.0.0.0. Apply the following compensating controls:

HARDENINGEnforce strong access controls and multi-factor authentication for engineering workstation accounts where possible

CVEs (1)

CVE-2013-0655

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/23619687-9d7c-4973-adf4-f92600eef98f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.