Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Vulnerabilities (Update A)
Low RiskICS-CERT ICSA-15-085-01ADec 27, 2015
Summary
InduSoft Web Studio and InTouch Machine Edition 2014 transmit communications without encryption, allowing an attacker with network access to intercept sensitive information including credentials and configuration data. Affected versions are InduSoft Web Studio 7.1.3.2 and earlier, and InTouch Machine Edition 2014 7.1.3.2 and earlier.
What this means
What could happen
An attacker who gains access to your network could intercept unencrypted communications with InduSoft Web Studio or InTouch systems, viewing sensitive configuration data, credentials, or process information.
Who's at risk
Energy utilities and industrial facilities running Schneider Electric InduSoft Web Studio or AVEVA InTouch Machine Edition 2014 for process monitoring and control. This affects engineering workstations, HMI servers, and any systems communicating with these products over your network.
How it could be exploited
An attacker on the network segment where InduSoft Web Studio or InTouch Machine Edition 2014 operates can passively capture unencrypted network traffic to extract credentials or configuration information, or actively intercept and modify commands sent to the systems.
Prerequisites
- Network access to the same network segment as the InduSoft Web Studio or InTouch system
- Line-of-sight to network traffic (ability to sniff or MITM attack)
- InduSoft Web Studio version 7.1.3.2 or earlier, or InTouch Machine Edition 2014 version 7.1.3.2 or earlier
No patch availableDefault credentials may be in useCleartext credential transmissionAffects HMI/engineering systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
InduSoft Web Studio: <=7.1.3.2≤ 7.1.3.2No fix (EOL)
InTouch Machine Edition 2014: <=7.1.3.2≤ 7.1.3.2No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGMonitor network traffic for suspicious activities targeting InduSoft and InTouch systems
WORKAROUNDUse VPN or encrypted tunnels for any remote access to InduSoft Web Studio and InTouch systems
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: InduSoft Web Studio: <=7.1.3.2, InTouch Machine Edition 2014: <=7.1.3.2. Apply the following compensating controls:
HARDENINGIsolate InduSoft Web Studio and InTouch Machine Edition 2014 systems on a dedicated network segment or VLAN
HARDENINGImplement network segmentation with firewalls between engineering workstations and production systems
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/14d2732e-a3f0-4b80-b64b-40d5a243d86e