ICSA-17-066-01_Schneider Electric Wonderware Intelligence

Act Now9.8ICS-CERT ICSA-17-066-01Mar 7, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CWE-1392 vulnerability in Schneider Electric Wonderware Intelligence and associated Tableau Server/Desktop components (Wonderware Intelligence up to 2014R3, Tableau Server/Desktop up to 10.1.3) allows remote code execution with no authentication. Attacker can remotely execute arbitrary commands on the historian system, potentially compromising data integrity, plant monitoring capabilities, and operational visibility.

What this means

What could happen

An attacker with network access to Wonderware Intelligence could execute arbitrary code remotely on the system with no authentication required, potentially gaining full control of the data historian and process monitoring systems used to track plant operations.

Who's at risk

Energy sector organizations, particularly utilities and industrial facilities using Schneider Electric Wonderware Intelligence for real-time process data collection and historical trending. This includes any facility relying on Wonderware as a data historian or Tableau Server for operational visibility into plant performance and asset monitoring.

How it could be exploited

An attacker sends a specially crafted network request to the Wonderware Intelligence or Tableau Server component, exploiting CWE-1392 to execute arbitrary code. The vulnerability requires no authentication and can be triggered from any network-connected position.

Prerequisites

Network access to the Wonderware Intelligence or Tableau Server instance on port(s) used by the application
No credentials required

Remotely exploitableNo authentication requiredLow complexity exploitationHigh CVSS score (9.8)Affects process monitoring systemsNo patch available

Exploitability

Moderate exploit probability (EPSS 2.5%)

Affected products (1)

ProductAffected VersionsFix Status

Tableau Server/Desktop:≥ 7.0 | ≤ 10.1.3 and Wonderware Intelligence ≤ 2014R3later than 10.1.3

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDIf patching is not immediately possible, disable or isolate network access to affected Wonderware Intelligence systems until patches can be applied

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Wonderware Intelligence to a version later than 2014R3 (exact fixed version not specified in advisory)

HOTFIXUpgrade Tableau Server/Desktop to a version later than 10.1.3

Long-term hardening

0/1

HARDENINGImplement network segmentation to restrict access to Wonderware Intelligence and Tableau Server systems to only authorized engineering and monitoring personnel

CVEs (1)

CVE-2017-5178

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/75981fa8-58da-4a58-99df-00266e786220