Schneider Electric SoMove Software and DTM Software Components
Plan Patch7.8ICS-CERT ICSA-18-065-02Mar 6, 2018
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Schneider Electric SoMove software and Device Type Manager (DTM) libraries for Altivar variable frequency drives contain an insecure loading vulnerability (CWE-427). An attacker with local access can exploit this to execute arbitrary code with elevated privileges on engineering workstations or systems running these components. Affected products include SoMove versions before 2.6.3 and multiple ATV-series DTM libraries (ATV6xx, ATV9xx, ATV12, ATV32, ATV31/312, ATV320, ATV340, ATV61, ATV71, ATV212, ATV LIFT, and AltivarDtmLibrary) with various version cutoffs.
What this means
What could happen
An attacker with local access to an engineering workstation running SoMove or a system with DTM libraries can execute arbitrary code with elevated privileges, potentially allowing modification of motor drive configurations, process setpoints, or stopping operations.
Who's at risk
Energy sector operators using Schneider Electric Altivar variable frequency drives (VFDs) and motor control systems should care. This affects engineering and commissioning workstations running SoMove software and any systems with ATV-series DTM libraries installed, including ATV6xx, ATV9xx, ATV12, ATV32, ATV31/312, ATV320, ATV340, ATV61, ATV71, ATV212, and ATV LIFT drive families.
How it could be exploited
An attacker with local user account access to a machine running vulnerable SoMove software or DTM libraries can exploit an insecure loading vulnerability to inject and execute malicious code. This code would run with the privileges of the SoMove application, enabling manipulation of Altivar drive configurations or connected industrial processes.
Prerequisites
- Local user account on engineering workstation or control system
- SoMove software or DTM library installed and running on the target system
- Ability to write files to a location that SoMove or DTM processes load from
No authentication required for local exploitationLow complexity attackAffects energy sector critical equipment (VFDs)No patch available for several product versions (advisory date 2018 indicates legacy products may be end-of-life)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (13)
13 with fix
ProductAffected VersionsFix Status
SoMove software:< 2.6.22.6.3
ATV6xx DTM:< 1.8.01.8.0
ATV340 DTM:< 1.2.31.2.3
ATV12 DTM:< 12.7.012.7.0
ATV32 DTM:< 12.7.012.7.0
ATV320 DTM:< 1.1.61.1.6
AltivarDtmLibrary:< 12.7.012.7.0
ATV9xx DTM:< 1.3.51.3.5
Remediation & Mitigation
0/9
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
HOTFIXUpdate SoMove software to version 2.6.3 or later
HOTFIXUpdate ATV320 DTM to version 1.1.6 or later
HOTFIXUpdate ATV340 DTM to version 1.2.3 or later
HOTFIXUpdate ATV6XX DTM to version 1.8.0 or later
HOTFIXUpdate ATV9XX DTM to version 1.3.5 or later
HOTFIXUpdate ATV12, ATV32, ATV31/312, ATV71, ATV61, ATV212, and ATV LIFT DTM libraries to version 12.7.0 or later
HOTFIXUpdate AltivarDtmLibrary to version 12.7.0 or later
Long-term hardening
0/2HARDENINGRestrict local user access to engineering workstations running SoMove to authorized personnel only
HARDENINGImplement file integrity monitoring on directories where SoMove and DTM libraries are installed to detect unauthorized modification
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/aa1ea6ed-2af4-4bd3-90f4-5b4645ddfd2f