• Cyber Security Updates

    Get the latest updates and alerts on Cyber Security and Compliance from Schneider Electric Software.

    Date

    Notice Identification Number

    Security Vulnerability Description

    Detailed Information

    December 19, 2014

    LFSEC00000104

    InTouch Access Anywhere Server Security Vulnerability

    Wonderware by Schneider Electric has created a security update to address a potential vulnerability in the product Wonderware InTouch Access Anywhere Server. This vulnerability, if exploited, could allow remote code execution and is given a rating of “Critical”. There are no known exploits in the wild at this time.

    InTouch Access Anywhere Server Security Vulnerability (LFSEC00000104)

    August 18, 2014

    LFSEC00000102

    Multiple Vulnerabilities in Wonderware Information Server

    In coordination with independent researcher Positive Technologies, Wonderware by Schneider Electric has created a security update for Wonderware Information Server (WIS) web pages and components to address multiple vulnerabilities including cross-site scripting, XML Entity injection, SQL injection, weak encryption and storage of SQL Accounts, and hard-coded credentials.

    Multiple Vulnerabilities in Wonderware Information Server (LFSEC00000102)

    June 30, 2014

    LFSEC000000100
    Tableau OpenSSL Vulnerabilities (LFSEC000000100)

    Potential security vulnerabilities have been discovered in multiple versions of the OpenSSL library used by Tableau Desktop/Server Software previously posted on WDN. Tableau Software has released a new product install which addresses these security vulnerabilities.

    Tableau OpenSSL Vulnerability (LFSEC000000100)

    April 21, 2014

    LFSEC00000098

    Tableau OpenSSL Vulnerability

    A vulnerability has been discovered in the OpenSSL library used by certain versions of Tableau Software Server Components previously posted on WDN. Tableau Software has released security patches for the affected versions.

    Tableau OpenSSL Vulnerability (LFSEC00000098)

    September 20, 2013

    LFSEC00000081

    Wonderware InTouch Improper Input Validation Vulnerability

    Positive Technologies have discovered a vulnerability in the InTouch 2012 R2 HMI product which exists in all previous versions. This vulnerability, if exploited, could allow attackers to access local resources (files and internal resources) or enable denial of service attacks. The rating is High and may require social engineering to exploit.

    Wonderware InTouch Improper Input Validation Vulnerability (LFSEC00000081)

    April 10, 2013

    LFSEC00000091

    Multiple Vulnerabilities in Wonderware Information Server

    In coordination with Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team, Schneider Electric Software has performed a security update of the Wonderware Information Server (WIS) web pages and components to address multiple vulnerabilities including cross-site scripting, file system access, XML Entity Injection, and blind SQL-injection.

    Multiple Vulnerabilities in Wonderware Information Server (LFSEC00000091)

    March 1, 2013

    LFSEC00000086

    WIN-XML Exporter Improper Input Validation Vulnerability

    A vulnerability has been discovered in the WIN-XML Exporter component of Wonderware Information Server. This vulnerability, if exploited, could allow attackers to access local resources (files and internal resources) or enable denial of service attacks.

    WIN-XML Exporter Improper Input Validation Vulnerability (LFSEC00000086)

    Download the Microsoft File Checksum Integrity Verifier (FCIV) Utility

    February 21, 2013

    LFSEC00000090

    Improper Input Validation in Ruby on Rails

    A vulnerability has been discovered in Ruby on Rails which is used in the Tableau Server Software components distributed with Wonderware Intelligence Software versions up to version 1.5 SP1. This vulnerability, if exploited, allows remote attackers to bypass intended database query restrictions which can result in complete take over on the host machine.

    Improper Input Validation in Ruby on Rails (LFSEC00000090)

    November 28, 2012

    LFSEC00000080

    Weak Encryption for InTouch Passwords

    A vulnerability has been discovered in the password storage mechanism for the "InTouch" Security Type. Not affected by this vulnerability are end users who have chosen "Windows Integrated" security for their InTouch applications rather than the "InTouch" option.

    Weak Encryption for InTouch Passwords (LFSEC00000080)

    September 11, 2012

    LFSEC00000073

    InTouch 10 DLL Hijack Vulnerability

    A vulnerability has been discovered in wwClintF.dll, a common component used by InTouch and other Wonderware System Platform products. This vulnerability, if exploited, could result in an attacker creating a back door into the system.

    InTouch 10 DLL Hijack Vulnerability (LFSEC00000073)

    September 11, 2012

    LFSEC00000017

    Directory Traversal Vulnerabilities in Application Server Bootstrap

    Schneider Electric Software has discovered directory traversal type vulnerabilities in three components that are installed by the Wonderware Application Server Bootstrap. If exploited, these vulnerabilities could lead to information disclosure, malicious file upload, or arbitrary code execution.

    Directory Traversal Vulnerabilities in Application Server Bootstrap (LFSEC00000017)

    May 25, 2012

    LFSEC00000038

    SuiteLink SLSSVC Vulnerability

    Schneider Electric Software is aware that a denial of service type vulnerability, including exploit code has been posted on the web against the Wonderware Suitelink service, which is a common component of the System Platform and used to transport value, time and quality of digital I/O information and extensive diagnostics with high throughput between industrial devices, 3rd party and Wonderware products.

    Schneider Electric Software has confirmed the vulnerability exists for Wonderware products prior to the latest 2012 release and has identified mitigations for other products and prior versions.

    Schneider Electric Software Security Alert (LFSEC00000038): SuiteLink Cyber Security Update 2.0 SP2 is Available

    ICS-CERT ALERT "ICS-ALERT-12-136-01 - Wonderware SuiteLink Unallocated Unicode String"

    This ALERT identifies an unallocated Unicode string vulnerability.

    April 2, 2012

    LFSEC00000069

    Cross-Site Scripting and SQL Injection in Wonderware Information Server pages and Memory Management issues in Historian Client controls.

    In coordination with cyber researchers Terry McCorkle and Billy Rios, Schneider Electric Software has performed a security update of the Wonderware Information Server web pages to address multiple vulnerabilities including cross-site scripting and SQL-injection. In addition, memory management issues for the downloaded Historian Client controls were also addressed.

    Wonderware Information Server Page and Memory Management Issues for Historian Client Security Release (LFSEC00000069)

    ICS-CERT Notification - ICSA-12-062-01

    March 30, 2012

    LFSEC00000071

    Security Bulletin System
    Platform Buffer Overflow

    Cyber researcher Celil Unuver from SignalSec Corp has discovered two heap-based buffer overflow vulnerabilities in the WWCabFile component of the Wonderware System Platform that is used by the Wonderware Application Server, InFusion (FCS), InTouch, the ArchestrA Application Object Toolkit and the Wonderware Information Server. If exploited, these vulnerabilities could lead to arbitrary code execution. The rating is Medium due to the exploit difficulty and may require social engineering.

    System Platform Buffer Overflow (LFSEC00000071)

    ICS-CERT Notification - ICSA-12-081-01

    February 8, 2012

    LFSEC00000059-61

    Memory corruption and XXS Vulnerabilities in Wonderware HMI Reports

    Independent security researchers Billy Rios and Terry McCorkle have discovered memory corruption and cross site scripting vulnerabilities in Wonderware HMI Reports 3.42.835.0304. These vulnerabilities, if exploited, could allow an attacker to compromise the host machine. The rating is high but requires social engineering to exploit. Social engineering is when people are unknowingly manipulated to perform certain actions that may be detrimental to the system. For example, asking an end-user to click on an email link or download a file.

    Wonderware HMI Reports Security Release (LFSEC00000059-61)

    ICS-CERT Advisory -ICSA-12-039-0

    ICS-CERT Advisory -ICSA-12-024-01

    December 19, 2011

    LFSEC000000067

    InBatch Long String
    Value Buffer Overflow

    Three vulnerabilities have been discovered in the Wonderware InBatch GUIControls, BatchObjSrv and BatchSecCtrl controls. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code or cause a Denial of Service on machines with Runtime Client components of Wonderware InBatch 9.5 and older versions

    .

    DHS – US-CERT LINK

    Security Bulletin- LFSEC000000067

    July 13, 2011

    (revised)

    October 11, 2011

    LFSEC00000012

    Buffer Overflow in RDBCMI.RuntimeDB.1 and WWView Active X Controls

    Two vulnerabilities have been discovered in the Wonderware Information Server client side RDBCMI.RuntimeDB.1 and WWView ActiveX controls. These vulnerabilities, if exploited, could cause a stack based buffer overflow that might allow remote code execution on client machines of Wonderware Information Server versions 3.1, 4.0, 4.0 SP1 and older versions of the product

    .

    Wonderware Information Server Client Security Release (LFSEC00000012)

    ICS-CERT SECURITY ADVISORY- ICSA-11-195-01

    InFusion Customer Advisory

    April 8, 2011

    LFSEC00000054

    Stack Based buffer overflow in the “Label” method, in the InBatch BatchField ActiveX Control

    A vulnerability (Stack overflow) has been discovered in the InBatch BatchField ActiveX Control. This control is installed as part of the InBatch Server and on all InBatch Runtime Clients, including when used embedded in InTouch® and any third party InBatch Client Programs (VB or C++). In addition, this control can be used in publishing InTouch graphics in Wonderware Information Server.

    ICS-CERT Security Notification

    April 8, 2011 - LFSEC00000054

    February 18, 2011
    REVISION

    LFSEC00000051

    Server lm_tcp buffer overflow

    A vulnerability has been discovered in InBatch Server and I/A Batch Server in all supported versions of Wonderware InBatch and Foxboro I/A Series Batch. This vulnerability, if exploited, could allow Denial of Service (DoS), the consequence of which is a crash of the InBatch Server

    February 18, 2011 - LFSEC00000051

    March 3, 2011 - ICS CERT Notification Update

    July 2010

    LFSEC00000037

    Wonderware ArchestrA ConfigurationAccessComponent ActiveX Stack Overflow

    A vulnerability has been discovered in a component used by the Wonderware ArchestrA IDE (Integrated Development Environment) and the InFusion IEE (Integrated Engineering Environment) in all supported versions of Wonderware Application Server and InFusion Application Environment with exception of the latest, Wonderware Application Server 3.1 Service Pack 2 Patch 01 (WAS 3.1 SP2 P01).

    July 2010 - LFSEC00000037

    US-CERT – VU#703189