Schneider Electric IGSS

Plan PatchCVSS 7.8ICS-CERT ICSA-21-159-04Jun 8, 2021

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

IGSS Definition (Def.exe) versions 15.0.0.21140 and prior contain multiple memory corruption vulnerabilities (CWE-787, CWE-125, CWE-416, CWE-119) and path traversal issues (CWE-22) in the CGF and WSP file import functionality. Successful exploitation results in remote code execution with the privileges of the importing user on the Windows machine hosting the IGSS Definition application. No known public exploits currently target these vulnerabilities, and they are not remotely exploitable without user interaction.

What this means

What could happen

An attacker could execute arbitrary code on the Windows machine running IGSS Definition by tricking a user into importing a malicious CGF or WSP file, potentially compromising the engineering workstation and allowing further access to control systems.

Who's at risk

Energy sector organizations using Schneider Electric IGSS Definition (Def.exe) for control system engineering and configuration. This affects engineering workstations and development environments where CGF (configuration) and WSP (workspace) files are imported during system setup and maintenance.

How it could be exploited

An attacker creates a malicious CGF (configuration) or WSP (workspace) file and tricks a user into importing it into IGSS Definition (Def.exe). The file triggers a memory corruption vulnerability (buffer overflow or use-after-free) during import, allowing the attacker to run arbitrary code with the privileges of the user importing the file.

Prerequisites

User must import a malicious CGF or WSP file into IGSS Definition
File import action requires user interaction (social engineering or deception)
Attacker must deliver the malicious file to the target user (email, file share, removable media)

memory corruption vulnerability (buffer overflow, use-after-free)requires user interaction to import fileengineering workstation compromise could lead to control system manipulationlow complexity exploitation once user opens fileaffects safety-critical system configuration tools

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

IGSS Definition (Def.exe): v15.0.0.21140 and prior≤ 15.0.0.2114015.0.0.21141

IGSS Definition (Def.exe) V15.0.0.21041 and prior≤ 15.0.0.2104115.0.0.21141

IGSS Definition (Def.exe) V15.0.0.21140 and prior≤ 15.0.0.2114015.0.0.21141

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDo not import CGF and WSP files from untrusted or unexpected sources; verify file origin before import

HARDENINGEducate users about social engineering: do not open or import files from unsolicited emails or untrusted sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

IGSS Definition (Def.exe): v15.0.0.21140 and prior

HOTFIXUpdate IGSS Definition (Def.exe) to version 15.0.0.21141 or later

Long-term hardening

0/2

HARDENINGIsolate engineering workstations running IGSS Definition from the business network using firewalls or network segmentation

HARDENINGRestrict file import capabilities to specific trusted directories or file sources where possible

CVEs (13)

CVE-2021-22750 CVE-2021-22751 CVE-2021-22752 CVE-2021-22753 CVE-2021-22754 CVE-2021-22755 CVE-2021-22756 CVE-2021-22757 CVE-2021-22758 CVE-2021-22759 CVE-2021-22760 CVE-2021-22761 CVE-2021-22762

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/407ee09b-a88b-4d86-933f-890c0482cd8d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.