Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Password Storage Vulnerability

Low RiskICS-CERT ICSA-15-211-01May 2, 2015

Summary

InduSoft Web Studio and InTouch Machine Edition 2014 store user passwords using insecure methods that do not adequately protect the credentials from disclosure. An attacker with local access to a system running these applications could retrieve stored passwords and use them to gain unauthorized access to the control system or connected engineering networks.

What this means

What could happen

Passwords used by InduSoft Web Studio and InTouch Machine Edition 2014 are stored insecurely, allowing an attacker with local access to the system to extract credentials and potentially access the control system or connected networks with those compromised accounts.

Who's at risk

Water and electric utility organizations using InduSoft Web Studio or InTouch Machine Edition 2014 for SCADA monitoring, HMI interfaces, or process automation are affected. This includes engineering workstations, operator stations, and edge computing devices running these legacy applications.

How it could be exploited

An attacker with local access to a machine running InduSoft Web Studio or InTouch Machine Edition 2014 can retrieve the insecurely stored password data from the application's configuration or database files, then use those credentials to log in as a legitimate user and make unauthorized changes to the control system.

Prerequisites

Local access to the computer running InduSoft Web Studio or InTouch Machine Edition 2014
Ability to read application configuration or database files on the system

no patch availableaffects authentication credentialslocal access required but privilege escalation riskend-of-life software

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

InduSoft Web Studio: <=7.1.3.4≤ 7.1.3.4No fix (EOL)

InTouch Machine Edition 2014: <=7.1_Service_Pack_3_Patch_4≤ 7.1 Service Pack 3 Patch 4No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict local console and Remote Desktop access to InduSoft Web Studio and InTouch Machine Edition 2014 systems to authorized personnel only

HARDENINGImplement file-level access controls to protect InduSoft Web Studio and InTouch Machine Edition 2014 configuration and database files from unauthorized reading

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and audit access to engineering workstations running InduSoft Web Studio or InTouch Machine Edition 2014

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: InduSoft Web Studio: <=7.1.3.4, InTouch Machine Edition 2014: <=7.1_Service_Pack_3_Patch_4. Apply the following compensating controls:

HARDENINGConsider retiring or isolating InduSoft Web Studio and InTouch Machine Edition 2014 systems due to end-of-life status and lack of vendor patch availability

CVEs (1)

CVE-2015-1009

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fc09d34a-df9d-499e-bc4a-b17e69d6a194