Fazecast jSerialComm

Plan PatchCVSS 7.8ICS-CERT ICSA-20-126-01May 5, 2020

Schneider Electric

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

jSerialComm versions 2.2.2 and earlier, and EcoStruxure IT Gateway versions 1.5.x through 1.7.x contain a DLL hijacking vulnerability. A malicious DLL file with the same name as a resident library in the installation directory can be executed by the application, allowing arbitrary code execution. No public exploits are currently known, but the vulnerability is exploitable.

What this means

What could happen

An attacker could place a malicious DLL file with the same name as a legitimate library in the software installation directory, allowing arbitrary code execution with the privileges of the application. This could enable an attacker to manipulate industrial control functions or disable critical IT infrastructure.

Who's at risk

Organizations using Fazecast jSerialComm or Schneider Electric EcoStruxure IT Gateway for industrial control system communication or IT infrastructure management should prioritize patching. This affects companies relying on these tools for device communication or energy management systems.

How it could be exploited

An attacker gains write access to the jSerialComm or EcoStruxure IT Gateway installation directory (typically requiring local system access or a compromised account), then places a malicious DLL with the same name as a resident library. When the application loads DLLs, it executes the attacker's malicious code instead of the legitimate library.

Prerequisites

Local write access to the software installation directory
Unprivileged user account (PR:L)
Knowledge of DLL names used by the application

Local privilege escalation required but exploitable by unprivileged usersLow complexity attackDLL hijacking/DLL preloading vulnerabilityInstallation directory write access is a common misconfiguration

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

jSerialComm: <= 2.2.2≤ 2.2.22.3+

EcoStruxure IT Gateway: 1.5.x | 1.6.x | 1.7.x1.5.x | 1.6.x | 1.7.x1.8.1+

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict write permissions on software installation directories to prevent unprivileged users from placing files

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate jSerialComm to Version 2.3 or later

HOTFIXUpgrade EcoStruxure IT Gateway to Version 1.8.1 or later

Long-term hardening

0/1

HARDENINGImplement application-level integrity monitoring for DLLs loaded by jSerialComm and EcoStruxure IT Gateway

CVEs (1)

CVE-2020-10626

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fc655ad6-db77-4d57-86ba-c72c4a744df3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.