OTPulse
FeedAboutContact

Schneider Electric Wonderware Historian Client

Monitor6.6ICS-CERT ICSA-17-122-01May 2, 2017
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

Wonderware Historian Client 2014 R2 SP1 and prior versions contain an XML External Entity (XXE) vulnerability (CWE-611) that allows a locally authenticated user to read sensitive data or cause a denial of service. The vulnerability requires user interaction such as opening a malicious file. Schneider Electric has released security hotfix HC_SecurityHF_10.6.13100 to address this issue.

What this means
What could happen
An authenticated local attacker with low privilege can read sensitive data from the Historian Client or cause the application to crash, potentially losing access to historical process data.
Who's at risk
Energy sector operators using Wonderware Historian Client for data logging and trend analysis should be aware that workstations running version 2014 R2 SP1 or earlier are affected. This includes any facility using Schneider Electric or AVEVA data historians for monitoring power generation, transmission, or distribution systems.
How it could be exploited
An attacker with local system access and a user-level account can open a specially crafted file or interact with the Historian Client application (CWE-611: Improper Restriction of XML External Entity Reference). The low attack complexity means exploiting this does not require sophisticated techniques.
Prerequisites
  • Local system access with unprivileged user credentials
  • Physical or remote desktop access to the Historian Client workstation
  • User interaction required (opening a malicious file or triggering a UI action)
Low attack complexityRequires local system accessUser interaction requiredConfidentiality impact (data disclosure)Availability impact (denial of service)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Wonderware Historian Client 2014 R2: SP1 and prior≤ SP1SP1 with hotfix HC_SecurityHF_10.6.13100 (10.6.13100)
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply security hotfix HC_SecurityHF_10.6.13100 to Wonderware Historian Client 2014 R2 SP1
HOTFIXIf running older versions of Wonderware Historian Client, first upgrade to version 2014 R2 SP1, then apply HC_SecurityHF_10.6.13100
Long-term hardening
0/2
HARDENINGRestrict local system access and user privileges on Historian Client workstations to authorized personnel only
HARDENINGImplement file integrity monitoring or restriction policies to prevent unauthorized file opens in the Historian Client application
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/9d629e74-dfdf-4c56-97f1-748aec5ae27a
Schneider Electric Wonderware Historian Client | CVSS 6.6 - OTPulse