Schneider Electric SoMove Software and DTM Software Components

Plan PatchCVSS 7.8ICS-CERT ICSA-18-065-02Mar 6, 2018

Schneider ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric SoMove software and Device Type Manager (DTM) libraries for Altivar variable frequency drives contain an insecure loading vulnerability (CWE-427). An attacker with local access can exploit this to execute arbitrary code with elevated privileges on engineering workstations or systems running these components. Affected products include SoMove versions before 2.6.3 and multiple ATV-series DTM libraries (ATV6xx, ATV9xx, ATV12, ATV32, ATV31/312, ATV320, ATV340, ATV61, ATV71, ATV212, ATV LIFT, and AltivarDtmLibrary) with various version cutoffs.

What this means

What could happen

An attacker with local access to an engineering workstation running SoMove or a system with DTM libraries can execute arbitrary code with elevated privileges, potentially allowing modification of motor drive configurations, process setpoints, or stopping operations.

Who's at risk

Energy sector operators using Schneider Electric Altivar variable frequency drives (VFDs) and motor control systems should care. This affects engineering and commissioning workstations running SoMove software and any systems with ATV-series DTM libraries installed, including ATV6xx, ATV9xx, ATV12, ATV32, ATV31/312, ATV320, ATV340, ATV61, ATV71, ATV212, and ATV LIFT drive families.

How it could be exploited

An attacker with local user account access to a machine running vulnerable SoMove software or DTM libraries can exploit an insecure loading vulnerability to inject and execute malicious code. This code would run with the privileges of the SoMove application, enabling manipulation of Altivar drive configurations or connected industrial processes.

Prerequisites

Local user account on engineering workstation or control system
SoMove software or DTM library installed and running on the target system
Ability to write files to a location that SoMove or DTM processes load from

No authentication required for local exploitationLow complexity attackAffects energy sector critical equipment (VFDs)No patch available for several product versions (advisory date 2018 indicates legacy products may be end-of-life)

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (13)

13 with fix

ProductAffected VersionsFix Status

SoMove software:< 2.6.22.6.3

ATV6xx DTM:< 1.8.01.8.0

ATV340 DTM:< 1.2.31.2.3

ATV12 DTM:< 12.7.012.7.0

ATV32 DTM:< 12.7.012.7.0

ATV320 DTM:< 1.1.61.1.6

AltivarDtmLibrary:< 12.7.012.7.0

ATV9xx DTM:< 1.3.51.3.5

Remediation & Mitigation

0/9

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SoMove software to version 2.6.3 or later

HOTFIXUpdate ATV320 DTM to version 1.1.6 or later

HOTFIXUpdate ATV340 DTM to version 1.2.3 or later

HOTFIXUpdate ATV6XX DTM to version 1.8.0 or later

HOTFIXUpdate ATV9XX DTM to version 1.3.5 or later

HOTFIXUpdate ATV12, ATV32, ATV31/312, ATV71, ATV61, ATV212, and ATV LIFT DTM libraries to version 12.7.0 or later

HOTFIXUpdate AltivarDtmLibrary to version 12.7.0 or later

Long-term hardening

0/2

HARDENINGRestrict local user access to engineering workstations running SoMove to authorized personnel only

HARDENINGImplement file integrity monitoring on directories where SoMove and DTM libraries are installed to detect unauthorized modification

CVEs (1)

CVE-2018-7239

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aa1ea6ed-2af4-4bd3-90f4-5b4645ddfd2f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.