Schneider Electric GUIcon

Monitor7.8ICS-CERT ICSA-21-313-02Nov 9, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

GUIcon contains buffer overflow and use-after-free vulnerabilities (CWE-787, CWE-416, CWE-125) that allow arbitrary code execution on the host PC. The product was discontinued in June 2020 and is no longer supported by Schneider Electric. Exploitation requires a user to open a malicious .gd1 configuration file in the GUIcon software. No public exploits are known to exist, and these vulnerabilities are not remotely exploitable.

What this means

What could happen

An attacker could execute arbitrary code on a PC running GUIcon by tricking a user into opening a malicious configuration file, potentially stealing sensitive information or causing unintended actions in industrial control systems.

Who's at risk

Energy sector organizations using GUIcon as a configuration and monitoring tool for Schneider Electric control systems. This affects anyone still running the legacy GUIcon software on engineering workstations or maintenance PCs used to configure industrial control equipment.

How it could be exploited

An attacker creates a malicious GUIcon configuration file (.gd1) and tricks a user into opening it in the GUIcon software tool. When the file is opened, the attacker's code executes on the host PC with the privileges of the user running GUIcon.

Prerequisites

User must open a malicious .gd1 configuration file in GUIcon software
User interaction required (social engineering or physical access to deliver the file)
GUIcon software must be installed on the PC

no patch availableproduct discontinueduser interaction requiredlocal execution onlyrequires social engineering

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

GUIcon:≤ 2.0 (Build 683.003)No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HOTFIXDiscontinue use of GUIcon software and migrate to a supported Schneider Electric alternative tool

WORKAROUNDVerify that all .gd1 configuration files opened in GUIcon come only from trusted internal sources

WORKAROUNDRestrict file import capability on engineering workstations running GUIcon to only trusted network locations

Mitigations - no patch available

0/3

GUIcon: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate control system networks from business networks with firewalls and restrict access to engineering workstations

HARDENINGImplement controls to prevent unauthorized access to engineering workstations and configuration files

HARDENINGDisable USB and removable media access on engineering workstations unless explicitly needed

CVEs (3)

CVE-2021-22807 CVE-2021-22808 CVE-2021-22809

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/76d60cdb-84ce-4791-813f-f06a10780632