Schneider Electric EcoStruxure Foxboro DCS Core Control Services

Plan Patch7.8ICS-CERT ICSA-24-345-02Jul 9, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric EcoStruxure Foxboro DCS Core Control Services (versions 9.5–9.8) contains buffer overflow (CWE-787) and input validation flaws (CWE-20, CWE-129) that allow an authenticated local user to execute arbitrary code on the control server. The vulnerability requires a valid workstation account but could lead to loss of system functionality, unauthorized control changes, or bypass of safety systems. Patch HF97872598 addresses these vulnerabilities and requires a reboot to apply.

What this means

What could happen

An authenticated local user could exploit buffer overflow or input validation flaws to run commands on the Foxboro DCS core control server, potentially disrupting plant operations, altering control setpoints, or bypassing safety interlocks.

Who's at risk

Energy sector operators running EcoStruxure Foxboro DCS (versions 9.5–9.8) for distributed control of generation, transmission, and plant automation. This affects primary control servers managing real-time process regulation and safety interlocks in power plants, substations, and industrial facilities using Schneider Electric's fault-tolerant control platform.

How it could be exploited

An attacker with valid credentials on a Foxboro DCS workstation exploits a buffer overflow (CWE-787) or improper input validation (CWE-20) in Core Control Services to execute arbitrary code with the same privileges as the affected service. This allows the attacker to manipulate process controls or disable critical monitoring functions.

Prerequisites

Valid local user account on the Foxboro DCS workstation
Physical or remote access to the workstation via compromised credentials
EcoStruxure Foxboro DCS Core Control Services version 9.5 to 9.8 installed

Requires valid credentials (not unauthenticated)Local or remote access via compromised accountLow complexity exploitation via buffer overflowAffects critical control infrastructureNo patch available for version 9.8 and earlier until HF97872598 appliedCVSS 7.8 (high severity)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

EcoStruxureTM Foxboro DCS Core Control Services <= 9.8≤ 9.8HF97872598

EcoStruxureTM Foxboro DCS Core Control Services from v9.5 to v9.8≥ v9.5|<v9.8HF97872598

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict physical access to Foxboro DCS workstations by placing them in secure locations and locking cabinets; enforce strong local passwords and disable remote login where possible

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Schneider Electric patch HF97872598 to EcoStruxure Foxboro DCS Core Control Services (v9.5 to v9.8). Reboot required.

Long-term hardening

0/3

HARDENINGIsolate Foxboro DCS control network from the business network using firewalls; disable programming software connections except on the dedicated control network

HARDENINGImplement network segmentation to prevent unauthorized remote access; use VPNs only for approved remote access and keep VPN software updated

HARDENINGEstablish procedures to scan removable media (USB drives, CDs) before connecting to control network nodes

CVEs (3)

CVE-2024-5679 CVE-2024-5680 CVE-2024-5681

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/20d82260-b9c4-4a13-a12d-bd46bdc0c004