OTPulse
FeedAboutContact

Schneider Electric ClearSCADA

Plan Patch7.5ICS-CERT ICSA-17-068-01Mar 9, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Schneider Electric ClearSCADA versions prior to 2015 R2 build 77.6181 contain an input validation flaw (CWE-20) that allows a remote attacker to cause a denial of service condition. The vulnerability does not require authentication or user interaction. An attacker with network access to the ClearSCADA server can send a specially crafted request that triggers improper input handling, causing the application to become unresponsive or crash. This results in loss of SCADA visibility and control capabilities.

What this means
What could happen
An attacker can trigger a denial of service condition on ClearSCADA servers, causing the application to become unresponsive or crash, which could interrupt real-time visibility and control of SCADA systems during critical operations.
Who's at risk
Energy utilities and industrial operators using ClearSCADA for real-time monitoring and control of generation, transmission, and distribution systems. Water authorities using ClearSCADA for SCADA operations. The vulnerability affects all versions prior to ClearSCADA 2015 R2 build 77.6181.
How it could be exploited
An attacker with network access to a ClearSCADA server (port 80/443 or the application port) sends a specially crafted request that fails input validation. The server processes the malformed input and becomes unresponsive or crashes, denying access to SCADA operators.
Prerequisites
  • Network access to ClearSCADA server on its listening port
  • No authentication required
remotely exploitableno authentication requiredlow complexityaffects SCADA supervisory systemsolder versions no longer receive patches
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (4)
1 with fix3 EOL
ProductAffected VersionsFix Status
ClearSCADA 2015 R1: (build 76.5648) and prior≤ 76.5648No fix (EOL)
ClearSCADA 2014 R1: (build 75.5210) and prior≤ 75.5210No fix (EOL)
ClearSCADA 2015 R2: (build 77.5882) and prior≤ 77.5882build 77.6181 or later
ClearSCADA 2014 R1.1: (build 75.5387) and prior≤ 75.5387No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to ClearSCADA servers using firewall rules or network segmentation; only permit connections from authorized engineering workstations and HMI systems
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ClearSCADA 2015 R2 to hotfix build 77.6181 or later
HOTFIXFor ClearSCADA 2015 R1, 2014 R1, and 2014 R1.1: upgrade to ClearSCADA 2015 R2 hotfix build 77.6181 or later (end-of-life products without vendor fixes)
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: ClearSCADA 2015 R1: (build 76.5648) and prior, ClearSCADA 2014 R1: (build 75.5210) and prior, ClearSCADA 2014 R1.1: (build 75.5387) and prior. Apply the following compensating controls:
HARDENINGPlace ClearSCADA servers on a dedicated OT network segment isolated from general corporate networks and the Internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c7253bba-fcff-4f2a-b754-e05de4f47ac3
Schneider Electric ClearSCADA | CVSS 7.5 - OTPulse