Schneider Electric Wonderware ArchestrA Logger

Act Now9.8ICS-CERT ICSA-17-187-04Jul 6, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Wonderware ArchestrA Logger version 2017.426.2307.1 and earlier contain multiple vulnerabilities (buffer overflow, resource exhaustion, null pointer dereference) that allow remote attackers to execute arbitrary code or cause denial of service without authentication. The vulnerabilities affect any application that bundles ArchestrA Logger, including Wonderware, Avantis, SimSci, and Skelta products commonly used in energy sector SCADA and historian systems.

What this means

What could happen

An attacker could gain complete remote control of Wonderware ArchestrA Logger without any credentials, allowing them to read, modify, or delete historical process data and potentially disrupt operations that depend on logger data for monitoring and control.

Who's at risk

Energy sector operators running Wonderware ArchestrA Logger for data historian functions in power generation, distribution, or water treatment facilities. This affects any plant that uses Wonderware, Avantis, SimSci, or Skelta products that depend on the embedded ArchestrA Logger for storing historical process measurements and alarms.

How it could be exploited

An attacker with network access to the Wonderware ArchestrA Logger service port can send a specially crafted network request that exploits a buffer overflow or resource exhaustion vulnerability. No authentication is required, and the attack can be executed with basic network tools.

Prerequisites

Network access to Wonderware ArchestrA Logger service port from the internet or untrusted network
Wonderware ArchestrA Logger version 2017.426.2307.1 or earlier installed and running

remotely exploitableno authentication requiredlow complexityhigh EPSS score (19.7%)affects historian data integrity and availabilitycritical CVSS score (9.8)

Exploitability

High exploit probability (EPSS 19.7%)

Affected products (1)

ProductAffected VersionsFix Status

Wonderware ArchestrA Logger:≤ 2017.426.2307.1v2017.517.2328.1

Remediation & Mitigation

0/3

Do now

0/3

HOTFIXApply Schneider Electric Wonderware ArchestrA Logger Security Patch v2017.517.2328.1 to all affected systems

HARDENINGIsolate Wonderware ArchestrA Logger service from untrusted networks using network segmentation or firewall rules that limit access to engineering workstations and authorized SCADA servers only

HARDENINGImplement network access controls to restrict traffic to the logger service port to known, trusted IP addresses only

CVEs (3)

CVE-2017-9629 CVE-2017-9627 CVE-2017-9631

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dd292ff6-75da-4bc9-8993-9498f23fe1ef