Severity rating for the vulnerability is “high”

Jul 1, 2015 13:03 GMT  ·  By

Some versions of the Wonderware System Platform developed by Schneider Electric include a high-risk security vulnerability an attacker could leverage to run rogue code on the affected machine.

The severity score calculated based on CVSS (Common Vulnerability Scoring System) is 7.2 out of a maximum of 10. All revisions of the product are affected, except for the latest one ( 2014 R2 Patch 01 Update), recently released by the developer to address the issue.

Wonderware System Platform is a software product intended for industrial environments. It is an operating system that bundles in services and features designed to create a central unit for managing all processes, physical equipment and systems in a plant, as well as assist administrators with diagnostics and troubleshooting.

Successful compromise requires user interaction

The glitch, which exists in InTouch, Application Server, Historian, and SuiteLink applications, has been described as a binary planting, better known as a DLL hijacking issue, according to the security advisory from the company. It does not require authentication, and the confidentiality and integrity impact on the system is complete.

However, it cannot be exploited remotely, and as is the case with DLL hijacking, user interaction is needed, which contributes to a lower security score. This means that the attacker needs to trick the user into running a file in order to replace the original DLL component with the malicious one.

This is not impossible to achieve, but the threat actor needs to carefully plan the attack and resort to social engineering tactics to deceive the victim without raising any suspicion.

The flaw, tracked as CVE-2015-3940, was identified and reported by Ivan Sanchez of WiseSecurity Team, who also tested the patch provided by Schneider Electric and deemed it valid.

The update for the operating system is distributed as an ISO image that can be written to a DVD or mounted as a virtual drive. Schneider Electric warns that installations of Wonderware System Platform 2014 and earlier need to be updated to 2014 R2 first and then apply the available patch.