Schneider Electric SCADAPack Workbench

Monitor5.5ICS-CERT ICSA-22-090-01Mar 31, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

SCADAPack Workbench versions 6.6.8a and earlier contain an XML external entity (XXE) injection vulnerability that allows an attacker to read and exfiltrate local files from the workstation when a user opens a malicious file. The vulnerability is not remotely exploitable and requires a user to be tricked into opening an untrusted file. Schneider Electric is developing a fix for future versions but has not yet released a patch.

What this means

What could happen

An attacker with local access to a workstation running SCADAPack Workbench could extract sensitive data from local files and send it to a remote system. This could expose engineering configurations, process logic, or other confidential information stored on the workstation.

Who's at risk

Engineering and operations teams at energy utilities who use Schneider Electric SCADAPack Workbench on Windows workstations for SCADA engineering and configuration. This includes anyone who opens project files, configuration files, or documents in SCADAPack Workbench.

How it could be exploited

An attacker must first trick a user into opening a malicious file (such as a crafted XML document or project file) in SCADAPack Workbench. Once the file is opened, the vulnerability allows the application to read local files on the workstation and exfiltrate them to an attacker-controlled server.

Prerequisites

Local access to the workstation running SCADAPack Workbench
User must open a malicious file with SCADAPack Workbench
The workstation must have outbound network access to a remote system controlled by the attacker

Local access requiredUser interaction required (must open malicious file)No patch availableData exfiltration (confidential engineering data at risk)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

SCADAPack Workbench:≤ 6.6.8aNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRun SCADAPack Workbench with User privileges instead of Administrator

WORKAROUNDBlock or restrict outbound communication from workstations running SCADAPack Workbench to external networks using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement data loss prevention (DLP) tools to monitor and block exfiltration of sensitive files from engineering workstations

HARDENINGApply least-privilege access controls to user accounts and limit access to shared resources such as databases to minimum required rights

Mitigations - no patch available

0/1

SCADAPack Workbench: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGTrain users not to open untrusted or unexpected files with SCADAPack Workbench and to recognize phishing and social engineering attacks

CVEs (1)

CVE-2022-0221

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/46db6c76-44f5-4838-a549-e67b6a375e79