Schneider Electric Wonderware Vulnerabilities

Low RiskICS-CERT ICSA-14-238-02May 29, 2014

Summary

Schneider Electric Wonderware Information Server Portal versions 4.0_SP1, 4.5, 5.0, and 5.5 contain multiple input validation and encoding flaws (CWE-326, CWE-79, CWE-20, CWE-89). These weaknesses allow remote attackers to inject SQL commands and JavaScript code without authentication, potentially leading to unauthorized data access, data manipulation, cross-site scripting attacks, and compromise of process information displayed to operators. The vulnerabilities exist in the portal's handling of user-supplied input and cryptographic implementations.

What this means

What could happen

An attacker could inject malicious code into the Wonderware Information Server Portal or manipulate data transmitted to the application, potentially altering process information displayed to operators or interfering with remote monitoring and control capabilities.

Who's at risk

Energy sector operators using Wonderware Information Server Portal for remote monitoring and SCADA data visualization should be concerned. This includes electric utilities and industrial facilities that rely on the portal to display real-time process information and operator interfaces. The vulnerability affects all supported versions of the portal.

How it could be exploited

An attacker with network access to the Wonderware Information Server Portal could inject malicious input through web forms or API endpoints. The application does not properly validate or sanitize user input, allowing injection of SQL commands or JavaScript code that executes in the portal environment, affecting data integrity and operator visibility.

Prerequisites

Network access to the Wonderware Information Server Portal web interface
No authentication required to exploit the vulnerability
Ability to send crafted HTTP requests to the portal

Remotely exploitableNo authentication requiredNo patch availableAffects monitoring and control visibilityWeb application injection vulnerabilities

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (4)

4 pending

ProductAffected VersionsFix Status

Wonderware Information Server Portal: 4.0_SP14.0 SP1No fix yet

Wonderware Information Server Portal: 4.54.5No fix yet

Wonderware Information Server Portal: 5.05.0No fix yet

Wonderware Information Server Portal: 5.55.5No fix yet

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGRestrict network access to the Wonderware Information Server Portal using firewall rules—only allow access from authorized engineering workstations and HMI systems

WORKAROUNDDeploy a Web Application Firewall (WAF) in front of the portal to filter malicious input and block SQL injection and cross-site scripting (XSS) attempts

HARDENINGEnable input validation and output encoding at the application level if available through configuration

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and log all access to the Wonderware Information Server Portal; alert on suspicious activity patterns

Long-term hardening

0/2

HARDENINGSegment the Wonderware network from corporate IT and the internet using a demilitarized zone (DMZ)

HOTFIXPlan for replacement or upgrade of Wonderware Information Server Portal to a supported version

CVEs (5)

CVE-2014-2381 CVE-2014-2380 CVE-2014-5397 CVE-2014-5398 CVE-2014-5399

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/05f977ff-4f34-4cf8-9fc9-6ea3cac0fb8d