Get the latest updates and alerts on Cyber Security and Compliance from Schneider Electric Software.
December 19, 2014
InTouch Access Anywhere Server Security Vulnerability
Wonderware by Schneider Electric has created a security update to address a potential vulnerability in the product Wonderware InTouch Access Anywhere Server. This vulnerability, if exploited, could allow remote code execution and is given a rating of “Critical”. There are no known exploits in the wild at this time.
InTouch Access Anywhere Server Security Vulnerability (LFSEC00000104)
August 18, 2014
Multiple Vulnerabilities in Wonderware Information Server
In coordination with independent researcher Positive Technologies, Wonderware by Schneider Electric has created a security update for Wonderware Information Server (WIS) web pages and components to address multiple vulnerabilities including cross-site scripting, XML Entity injection, SQL injection, weak encryption and storage of SQL Accounts, and hard-coded credentials.
Multiple Vulnerabilities in Wonderware Information Server (LFSEC00000102)
June 30, 2014
Tableau OpenSSL Vulnerabilities (LFSEC000000100)
Potential security vulnerabilities have been discovered in multiple versions of the OpenSSL library used by Tableau Desktop/Server Software previously posted on WDN. Tableau Software has released a new product install which addresses these security vulnerabilities.
Tableau OpenSSL Vulnerability (LFSEC000000100)
April 21, 2014
Tableau OpenSSL Vulnerability
A vulnerability has been discovered in the OpenSSL library used by certain versions of Tableau Software Server Components previously posted on WDN. Tableau Software has released security patches for the affected versions.
Tableau OpenSSL Vulnerability (LFSEC00000098)
September 20, 2013
Wonderware InTouch Improper Input Validation Vulnerability
Positive Technologies have discovered a vulnerability in the InTouch 2012 R2 HMI product which exists in all previous versions. This vulnerability, if exploited, could allow attackers to access local resources (files and internal resources) or enable denial of service attacks. The rating is High and may require social engineering to exploit.
Wonderware InTouch Improper Input Validation Vulnerability (LFSEC00000081)
April 10, 2013
Multiple Vulnerabilities in Wonderware Information Server
In coordination with Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team, Schneider Electric Software has performed a security update of the Wonderware Information Server (WIS) web pages and components to address multiple vulnerabilities including cross-site scripting, file system access, XML Entity Injection, and blind SQL-injection.
Multiple Vulnerabilities in Wonderware Information Server (LFSEC00000091)
March 1, 2013
WIN-XML Exporter Improper Input Validation Vulnerability
A vulnerability has been discovered in the WIN-XML Exporter component of Wonderware Information Server. This vulnerability, if exploited, could allow attackers to access local resources (files and internal resources) or enable denial of service attacks.
WIN-XML Exporter Improper Input Validation Vulnerability (LFSEC00000086)
Download the Microsoft File Checksum Integrity Verifier (FCIV) Utility
February 21, 2013
Improper Input Validation in Ruby on Rails
A vulnerability has been discovered in Ruby on Rails which is used in the Tableau Server Software components distributed with Wonderware Intelligence Software versions up to version 1.5 SP1. This vulnerability, if exploited, allows remote attackers to bypass intended database query restrictions which can result in complete take over on the host machine.
Improper Input Validation in Ruby on Rails (LFSEC00000090)
November 28, 2012
Weak Encryption for InTouch Passwords
A vulnerability has been discovered in the password storage mechanism for the "InTouch" Security Type. Not affected by this vulnerability are end users who have chosen "Windows Integrated" security for their InTouch applications rather than the "InTouch" option.
Weak Encryption for InTouch Passwords (LFSEC00000080)
September 11, 2012
InTouch 10 DLL Hijack Vulnerability
A vulnerability has been discovered in wwClintF.dll, a common component used by InTouch and other Wonderware System Platform products. This vulnerability, if exploited, could result in an attacker creating a back door into the system.
InTouch 10 DLL Hijack Vulnerability (LFSEC00000073)
Directory Traversal Vulnerabilities in Application Server Bootstrap
Schneider Electric Software has discovered directory traversal type vulnerabilities in three components that are installed by the Wonderware Application Server Bootstrap. If exploited, these vulnerabilities could lead to information disclosure, malicious file upload, or arbitrary code execution.
Directory Traversal Vulnerabilities in Application Server Bootstrap (LFSEC00000017)
May 25, 2012
SuiteLink SLSSVC Vulnerability
Schneider Electric Software is aware that a denial of service type vulnerability, including exploit code has been posted on the web against the Wonderware Suitelink service, which is a common component of the System Platform and used to transport value, time and quality of digital I/O information and extensive diagnostics with high throughput between industrial devices, 3rd party and Wonderware products.
Schneider Electric Software has confirmed the vulnerability exists for Wonderware products prior to the latest 2012 release and has identified mitigations for other products and prior versions.
Schneider Electric Software Security Alert (LFSEC00000038): SuiteLink Cyber Security Update 2.0 SP2 is Available
ICS-CERT ALERT "ICS-ALERT-12-136-01 - Wonderware SuiteLink Unallocated Unicode String"
This ALERT identifies an unallocated Unicode string vulnerability.
April 2, 2012
Cross-Site Scripting and SQL Injection in Wonderware Information Server pages and Memory Management issues in Historian Client controls.
In coordination with cyber researchers Terry McCorkle and Billy Rios, Schneider Electric Software has performed a security update of the Wonderware Information Server web pages to address multiple vulnerabilities including cross-site scripting and SQL-injection. In addition, memory management issues for the downloaded Historian Client controls were also addressed.
Wonderware Information Server Page and Memory Management Issues for Historian Client Security Release (LFSEC00000069)
ICS-CERT Notification - ICSA-12-062-01
March 30, 2012
Security Bulletin System
Platform Buffer Overflow
Cyber researcher Celil Unuver from SignalSec Corp has discovered two heap-based buffer overflow vulnerabilities in the WWCabFile component of the Wonderware System Platform that is used by the Wonderware Application Server, InFusion (FCS), InTouch, the ArchestrA Application Object Toolkit and the Wonderware Information Server. If exploited, these vulnerabilities could lead to arbitrary code execution. The rating is Medium due to the exploit difficulty and may require social engineering.
System Platform Buffer Overflow (LFSEC00000071)
ICS-CERT Notification - ICSA-12-081-01
February 8, 2012
Memory corruption and XXS Vulnerabilities in Wonderware HMI Reports
Independent security researchers Billy Rios and Terry McCorkle have discovered memory corruption and cross site scripting vulnerabilities in Wonderware HMI Reports 3.42.835.0304. These vulnerabilities, if exploited, could allow an attacker to compromise the host machine. The rating is high but requires social engineering to exploit. Social engineering is when people are unknowingly manipulated to perform certain actions that may be detrimental to the system. For example, asking an end-user to click on an email link or download a file.
Wonderware HMI Reports Security Release (LFSEC00000059-61)
ICS-CERT Advisory -ICSA-12-039-0
ICS-CERT Advisory -ICSA-12-024-01
December 19, 2011
InBatch Long String
Value Buffer Overflow
Three vulnerabilities have been discovered in the Wonderware InBatch GUIControls, BatchObjSrv and BatchSecCtrl controls. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code or cause a Denial of Service on machines with Runtime Client components of Wonderware InBatch 9.5 and older versions
DHS – US-CERT LINK
Security Bulletin- LFSEC000000067
July 13, 2011
October 11, 2011
Buffer Overflow in RDBCMI.RuntimeDB.1 and WWView Active X Controls
Two vulnerabilities have been discovered in the Wonderware Information Server client side RDBCMI.RuntimeDB.1 and WWView ActiveX controls. These vulnerabilities, if exploited, could cause a stack based buffer overflow that might allow remote code execution on client machines of Wonderware Information Server versions 3.1, 4.0, 4.0 SP1 and older versions of the product
Wonderware Information Server Client Security Release (LFSEC00000012)
ICS-CERT SECURITY ADVISORY- ICSA-11-195-01
InFusion Customer Advisory
April 8, 2011
Stack Based buffer overflow in the “Label” method, in the InBatch BatchField ActiveX Control
A vulnerability (Stack overflow) has been discovered in the InBatch BatchField ActiveX Control. This control is installed as part of the InBatch Server and on all InBatch Runtime Clients, including when used embedded in InTouch® and any third party InBatch Client Programs (VB or C++). In addition, this control can be used in publishing InTouch graphics in Wonderware Information Server.
ICS-CERT Security Notification
April 8, 2011 - LFSEC00000054
February 18, 2011
Server lm_tcp buffer overflow
A vulnerability has been discovered in InBatch Server and I/A Batch Server in all supported versions of Wonderware InBatch and Foxboro I/A Series Batch. This vulnerability, if exploited, could allow Denial of Service (DoS), the consequence of which is a crash of the InBatch Server
February 18, 2011 - LFSEC00000051
March 3, 2011 - ICS CERT Notification Update
Wonderware ArchestrA ConfigurationAccessComponent ActiveX Stack Overflow
A vulnerability has been discovered in a component used by the Wonderware ArchestrA IDE (Integrated Development Environment) and the InFusion IEE (Integrated Engineering Environment) in all supported versions of Wonderware Application Server and InFusion Application Environment with exception of the latest, Wonderware Application Server 3.1 Service Pack 2 Patch 01 (WAS 3.1 SP2 P01).
July 2010 - LFSEC00000037
US-CERT – VU#703189