Schneider Electric Floating License Manager

Act NowCVSS 9.8ICS-CERT ICSA-18-144-01May 24, 2018

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Floating License Manager service embedded in multiple Schneider Electric SCADA and power monitoring products contains buffer overflow vulnerabilities (CWE-122, CWE-119) and an open redirect flaw (CWE-601). Successful exploitation allows an attacker to execute arbitrary code with system-level privileges on the host running the affected software, cause denial of service by crashing the licensing service, or redirect users to arbitrary websites. The vulnerability requires only network access to the service port and no authentication.

What this means

What could happen

An attacker who reaches the Floating License Manager service could run arbitrary code with system-level privileges, disable the affected SCADA or power monitoring software, or redirect users to malicious websites.

Who's at risk

Organizations operating Schneider Electric SCADA and power monitoring systems should care, including energy utilities, water treatment plants, and manufacturing facilities using EcoStruxure Modicon Builder, Vijeo Citect/CitectSCADA, Energy Expert, Power Monitoring Expert, Power SCADA Operations, PlantStruxure PES, or Vijeo/CitectHistorian for supervisory control and plant-wide monitoring.

How it could be exploited

The attacker sends a crafted network packet to the Floating License Manager service port (no authentication required). The vulnerable code processes the packet unsafely due to buffer overflow flaws (CWE-122, CWE-119), allowing the attacker to execute arbitrary system commands or crash the service.

Prerequisites

Network access to the Floating License Manager service port on the affected Schneider Electric software
No credentials required for exploitation

Remotely exploitable from network access to the service portNo authentication requiredLow complexity attackHigh EPSS score (27.2% exploitation probability)Affects multiple SCADA and power monitoring platformsNo patch available for several products (end-of-life versions)

Exploitability

Likely to be exploited — EPSS score 29.1%

Affected products (12)

10 with fix2 pending

ProductAffected VersionsFix Status

CitectSCADA:2015 | 2016No fix yet

CitectHistorian:2016No fix yet

EcoStruxure Modicon Builder: V3.0 and prior≤ 3.0V3.1

EcoStruxure Power Monitoring Expert: 8.2 (Standard DC HC Editions)8.2 (Standard DC HC Editions)8.2 with Cumulative Update (CU) 2

SCADA Expert Vijeo Citect / CitectSCADA:7.30 | 7.40Floating License Manager v2.1.0.0

Energy Expert: 1.x (formerly Power Manager)1.x (formerly Power Manager)1.3 with Cumulative Update (CU) 2

StruxureWare Power Monitoring Expert: 7.2.x7.2.x7.2.2 with floating licensing manager patch, or 8.2 with Cumulative Update (CU) 2

StruxureWare Power Monitoring Expert: 8.1 (Standard DC HC Editions)8.1 (Standard DC HC Editions)7.2.2 with floating licensing manager patch, or 8.2 with Cumulative Update (CU) 2

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDRestrict network access to the Floating License Manager service using firewall rules; allow connections only from known engineering workstations and SCADA clients

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Energy Expert: 1.x (formerly Power Manager)

HOTFIXUpgrade Energy Expert (formerly Power Manager) to version 1.3 or later, then apply Cumulative Update 2

All products

HOTFIXApply Floating License Manager patch version 2.1.0.0 (available at the vendor download link) to all Citect and PlantStruxure products

HOTFIXUpgrade EcoStruxure Modicon Builder to version 3.1 or later (requires partner portal login)

HOTFIXUpgrade StruxureWare 7.2.x to version 7.2.2 and apply the FLM patch provided by the vendor

HOTFIXUpgrade EcoStruxure/StruxureWare Power Monitoring Expert and Power SCADA Operations to version 8.2, then apply Cumulative Update 2

Long-term hardening

0/2

HARDENINGLocate all affected software behind a firewall and isolate from business networks; do not expose to the Internet

HARDENINGIf remote access to the software is required, enforce VPN with up-to-date security patches and restrict to specific users and IP addresses

CVEs (3)

CVE-2016-2177 CVE-2016-10395 CVE-2017-5571

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7d96ba00-b798-4b2f-a583-8fc10fe77f4d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.