Schneider Electric Multiple Products Buffer Overflow Vulnerability
Low RiskICS-CERT ICSA-15-027-02Oct 30, 2015
Summary
Schneider Electric software and communication library products contain a buffer overflow vulnerability in stack memory. Affected products include engineering workstation software (Unity Pro, SoMachine, SoMove, SoMove Lite) and industrial communication libraries (Modbus, CANopen, EtherNet/IP). The vulnerability could be triggered through malformed input processing in these components.
What this means
What could happen
A local attacker with access to an engineering workstation could exploit this buffer overflow to execute arbitrary code, potentially gaining control of IED/PLC programming environments and the devices they manage. This could lead to unauthorized modification of control logic or supervisory commands on connected industrial equipment.
Who's at risk
Energy sector operators using Schneider Electric engineering tools (Unity Pro, SoMachine, SoMove) and devices communicating via Modbus, CANopen, or EtherNet/IP protocols. This includes utilities managing PLC-based control systems, variable frequency drives, gateways, and distributed I/O terminals that rely on these libraries for communication and programming.
How it could be exploited
An attacker would need to supply malformed data or files that trigger the buffer overflow in the vulnerable software running on an engineering workstation. Once code execution is achieved on the workstation, the attacker could use integrated development or communication features to push malicious configurations or control commands to connected PLCs, gateways, or other industrial devices.
Prerequisites
- Local or network access to an engineering workstation running affected Schneider Electric software
- Ability to provide malformed input to the vulnerable library or application
- Engineering workstation not segregated from production network (to reach industrial devices)
no patch availableaffects engineering/programming softwarebuffer overflow (potential for code execution)affects multiple industrial communication protocols
Exploitability
Moderate exploit probability (EPSS 2.2%)
Affected products (12)
12 EOL
ProductAffected VersionsFix Status
Unity Pro: vers:all/*All versionsNo fix (EOL)
SoMachine: vers:all/*All versionsNo fix (EOL)
SoMove: vers:all/*All versionsNo fix (EOL)
SoMove Lite: vers:all/*All versionsNo fix (EOL)
Modbus Communication Library: <=2.2.6≤ 2.2.6No fix (EOL)
CANopen Communication Library: <=1.0.2≤ 1.0.2No fix (EOL)
EtherNet/IP Communication Library: <=1.0.0≤ 1.0.0No fix (EOL)
EM X80 Gateway DTM (MB TCP/SL): vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGIsolate engineering workstations from production networks using network segmentation or air-gapping to prevent attackers from reaching control devices via compromised workstation software
HARDENINGRestrict access to engineering workstations to authorized personnel only; implement access controls and monitor user activity on systems running Unity Pro, SoMachine, or SoMove
WORKAROUNDDisable network-exposed instances of affected communication libraries where not actively needed for remote configuration or monitoring
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGImplement endpoint protection (antivirus/intrusion detection) on engineering workstations to detect exploitation attempts targeting buffer overflow vulnerabilities
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Unity Pro: vers:all/*, SoMachine: vers:all/*, SoMove: vers:all/*, SoMove Lite: vers:all/*, Modbus Communication Library: <=2.2.6, CANopen Communication Library: <=1.0.2, EtherNet/IP Communication Library: <=1.0.0, EM X80 Gateway DTM (MB TCP/SL): vers:all/*, Advantys DTMs (OTB, STB): vers:all/*, KINOS DTM: vers:all/*, SOLO DTM: vers:all/*, Xantrex DTMs: vers:all/*. Apply the following compensating controls:
HARDENINGMonitor for signs of compromise on engineering workstations: unexpected network traffic to control devices, unauthorized changes to device configurations, or unusual process execution
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/70e5e798-54db-47d3-a11e-e59e7ad0d524