Schneider Electric ProClima ActiveX Control Vulnerabilities

Act Now6.3ICS-CERT ICSA-15-335-02Sep 3, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Schneider Electric ProClima versions 6.1 and earlier contain vulnerabilities in an ActiveX control that allow improper code execution. The vulnerability is triggered through user interaction and affects the integrity and confidentiality of the system.

What this means

What could happen

An attacker could execute arbitrary code on a workstation running ProClima by tricking a user into opening a malicious file or webpage, potentially compromising the engineering workstation and the data it accesses, including process configurations and setpoints.

Who's at risk

Energy sector operators using Schneider Electric ProClima for building or industrial control system engineering and configuration. This affects any personnel using ProClima on workstations that have internet access or receive files from external sources.

How it could be exploited

An attacker crafts a malicious web page or document that exploits the ActiveX control vulnerability. When a ProClima user opens the page or document in a web browser or application, the attacker's code runs with the user's privileges on the workstation. From there, the attacker could access ProClima configuration files, modify control logic, or pivot to connected control systems.

Prerequisites

User with ProClima installed must open a malicious web page or document in their browser
ActiveX controls must be enabled in the browser
User interaction required (clicking or opening file)

remotely exploitableno authentication requiredlow complexityhigh EPSS score (11.2%)no patch availableuser interaction required

Exploitability

High exploit probability (EPSS 11.2%)

Affected products (1)

ProductAffected VersionsFix Status

ProClima: <=6.1≤ 6.1No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable or restrict ActiveX control execution in all web browsers used for engineering workstations

HARDENINGConfigure Group Policy or browser settings to prevent untrusted ActiveX controls from running

HARDENINGEducate users not to open untrusted email attachments or click links from unknown sources on engineering workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXEvaluate upgrade to ProClima 6.2 or later if and when available, or plan migration to a supported product with security updates

Mitigations - no patch available

0/1

ProClima: <=6.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate engineering workstations from general IT networks and internet access

CVEs (1)

CVE-2015-7918

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d7dabd03-5010-49d4-8c6a-a66fe6b1999b