Schneider Electric ClearSCADA

Plan PatchCVSS 7.5ICS-CERT ICSA-17-068-01Mar 9, 2017

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric ClearSCADA versions prior to 2015 R2 build 77.6181 contain an input validation flaw (CWE-20) that allows a remote attacker to cause a denial of service condition. The vulnerability does not require authentication or user interaction. An attacker with network access to the ClearSCADA server can send a specially crafted request that triggers improper input handling, causing the application to become unresponsive or crash. This results in loss of SCADA visibility and control capabilities.

What this means

What could happen

An attacker can trigger a denial of service condition on ClearSCADA servers, causing the application to become unresponsive or crash, which could interrupt real-time visibility and control of SCADA systems during critical operations.

Who's at risk

Energy utilities and industrial operators using ClearSCADA for real-time monitoring and control of generation, transmission, and distribution systems. Water authorities using ClearSCADA for SCADA operations. The vulnerability affects all versions prior to ClearSCADA 2015 R2 build 77.6181.

How it could be exploited

An attacker with network access to a ClearSCADA server (port 80/443 or the application port) sends a specially crafted request that fails input validation. The server processes the malformed input and becomes unresponsive or crashes, denying access to SCADA operators.

Prerequisites

Network access to ClearSCADA server on its listening port
No authentication required

remotely exploitableno authentication requiredlow complexityaffects SCADA supervisory systemsolder versions no longer receive patches

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (4)

1 with fix3 EOL

ProductAffected VersionsFix Status

ClearSCADA 2015 R1: (build 76.5648) and prior≤ 76.5648No fix (EOL)

ClearSCADA 2014 R1: (build 75.5210) and prior≤ 75.5210No fix (EOL)

ClearSCADA 2015 R2: (build 77.5882) and prior≤ 77.5882build 77.6181+

ClearSCADA 2014 R1.1: (build 75.5387) and prior≤ 75.5387No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to ClearSCADA servers using firewall rules or network segmentation; only permit connections from authorized engineering workstations and HMI systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ClearSCADA 2015 R2 to hotfix build 77.6181 or later

HOTFIXFor ClearSCADA 2015 R1, 2014 R1, and 2014 R1.1: upgrade to ClearSCADA 2015 R2 hotfix build 77.6181 or later (end-of-life products without vendor fixes)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ClearSCADA 2015 R1: (build 76.5648) and prior, ClearSCADA 2014 R1: (build 75.5210) and prior, ClearSCADA 2014 R1.1: (build 75.5387) and prior. Apply the following compensating controls:

HARDENINGPlace ClearSCADA servers on a dedicated OT network segment isolated from general corporate networks and the Internet

CVEs (1)

CVE-2017-6021

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c7253bba-fcff-4f2a-b754-e05de4f47ac3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.