Schneider Electric FoxRTU Station

Plan Patch7.3ICS-CERT ICSA-24-345-03Jul 9, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Schneider Electric FoxRTU Station is a software tool for configuring, diagnosing, and managing the SCD2200 Remote Terminal Unit (RTU) used in remote SCADA applications. A path traversal vulnerability (CWE-22) in FoxRTU Station prior to version 9.3.0 allows an attacker with local file write access to execute arbitrary code by placing malicious files or modifying project files, potentially leading to denial-of-service or unauthorized system access.

What this means

What could happen

An attacker with file write access to the FoxRTU Station workstation could execute arbitrary code and modify RTU settings or commands, potentially disrupting remote SCADA operations or causing unauthorized changes to controlled equipment.

Who's at risk

Energy sector organizations operating Schneider Electric EcoStruxure Foxboro SCADA systems with SCD2200 Remote Terminal Units should evaluate their exposure. This affects engineering workstations and control system management servers running FoxRTU Station software used to configure and manage RTUs in remote SCADA deployments.

How it could be exploited

The attacker must have local file system write access to the FoxRTU Station installation directory or project file storage. The attacker can then place a malicious DLL in an accessible directory or modify an existing project file, which FoxRTU Station will load and execute when opened or used for device management.

Prerequisites

Local file write access to FoxRTU Station installation directory or project files
FoxRTU Station software must be running or project files must be opened
User interaction required to open or load project files

no authentication required for local file accesslow complexity attackaffects SCADA remote terminal unitsdefault file permissions may allow write access

Exploitability

Moderate exploit probability (EPSS 4.5%)

Affected products (1)

ProductAffected VersionsFix Status

FoxRTU Station prior to v9.3.0<9.3.09.3.0

Remediation & Mitigation

0/9

Do now

0/5

WORKAROUNDImplement file system access control restrictions to prevent unauthorized users from editing project files or placing files in FoxRTU Station directories

HARDENINGStore project files in secure storage and restrict access to trusted users only

HARDENINGEncrypt project files when stored and when exchanged over networks

WORKAROUNDUse encrypted and password-protected project files per FoxRTU Station User Guide Chapter 12

HARDENINGOnly open project files from trusted sources

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FoxRTU Station to version 9.3.0 or later

HARDENINGCompute and regularly verify file hashes of project files to detect unauthorized modifications

HARDENINGUse secure communication protocols (VPN, SSH, TLS) when exchanging FoxRTU project files over networks

Long-term hardening

0/1

HARDENINGIsolate control system networks and RTUs behind firewalls, restricting access from business networks and the internet

CVEs (1)

CVE-2024-2602

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2884204e-0360-4114-83ca-edf6531718a6