Schneider Electric Floating License Manager
Act Now9.8ICS-CERT ICSA-18-144-01May 24, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The Floating License Manager service embedded in multiple Schneider Electric SCADA and power monitoring products contains buffer overflow vulnerabilities (CWE-122, CWE-119) and an open redirect flaw (CWE-601). Successful exploitation allows an attacker to execute arbitrary code with system-level privileges on the host running the affected software, cause denial of service by crashing the licensing service, or redirect users to arbitrary websites. The vulnerability requires only network access to the service port and no authentication.
What this means
What could happen
An attacker who reaches the Floating License Manager service could run arbitrary code with system-level privileges, disable the affected SCADA or power monitoring software, or redirect users to malicious websites.
Who's at risk
Organizations operating Schneider Electric SCADA and power monitoring systems should care, including energy utilities, water treatment plants, and manufacturing facilities using EcoStruxure Modicon Builder, Vijeo Citect/CitectSCADA, Energy Expert, Power Monitoring Expert, Power SCADA Operations, PlantStruxure PES, or Vijeo/CitectHistorian for supervisory control and plant-wide monitoring.
How it could be exploited
The attacker sends a crafted network packet to the Floating License Manager service port (no authentication required). The vulnerable code processes the packet unsafely due to buffer overflow flaws (CWE-122, CWE-119), allowing the attacker to execute arbitrary system commands or crash the service.
Prerequisites
- Network access to the Floating License Manager service port on the affected Schneider Electric software
- No credentials required for exploitation
Remotely exploitable from network access to the service portNo authentication requiredLow complexity attackHigh EPSS score (27.2% exploitation probability)Affects multiple SCADA and power monitoring platformsNo patch available for several products (end-of-life versions)
Exploitability
High exploit probability (EPSS 27.2%)
Affected products (12)
10 with fix2 pending
ProductAffected VersionsFix Status
CitectSCADA:2015 | 2016No fix yet
CitectHistorian:2016No fix yet
EcoStruxure Modicon Builder: V3.0 and prior≤ 3.0V3.1
EcoStruxure Power Monitoring Expert: 8.2 (Standard DC HC Editions)8.2 (Standard DC HC Editions)8.2 with Cumulative Update (CU) 2
SCADA Expert Vijeo Citect / CitectSCADA:7.30 | 7.40Floating License Manager v2.1.0.0
Energy Expert: 1.x (formerly Power Manager)1.x (formerly Power Manager)1.3 with Cumulative Update (CU) 2
StruxureWare Power Monitoring Expert: 7.2.x7.2.x7.2.2 with floating licensing manager patch, or 8.2 with Cumulative Update (CU) 2
StruxureWare Power Monitoring Expert: 8.1 (Standard DC HC Editions)8.1 (Standard DC HC Editions)7.2.2 with floating licensing manager patch, or 8.2 with Cumulative Update (CU) 2
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDRestrict network access to the Floating License Manager service using firewall rules; allow connections only from known engineering workstations and SCADA clients
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
Energy Expert: 1.x (formerly Power Manager)
HOTFIXUpgrade Energy Expert (formerly Power Manager) to version 1.3 or later, then apply Cumulative Update 2
All products
HOTFIXApply Floating License Manager patch version 2.1.0.0 (available at the vendor download link) to all Citect and PlantStruxure products
HOTFIXUpgrade EcoStruxure Modicon Builder to version 3.1 or later (requires partner portal login)
HOTFIXUpgrade StruxureWare 7.2.x to version 7.2.2 and apply the FLM patch provided by the vendor
HOTFIXUpgrade EcoStruxure/StruxureWare Power Monitoring Expert and Power SCADA Operations to version 8.2, then apply Cumulative Update 2
Long-term hardening
0/2HARDENINGLocate all affected software behind a firewall and isolate from business networks; do not expose to the Internet
HARDENINGIf remote access to the software is required, enforce VPN with up-to-date security patches and restrict to specific users and IP addresses
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7d96ba00-b798-4b2f-a583-8fc10fe77f4d