Tenable Research discovered a critical remote code execution vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition.
The researchers discovered a new stack-based buffer overflow condition in the applications that is triggered when input is not properly validated. The vulnerabilities if exploited could allow an un-authenticated attacker to remotely execute code with high privileges.
“A threat actor can use the compromised machine to laterally transfer within the victims network and to execute further attacks. Additionally, connected HMI clients and OT devices can be exposed to attack,” Tenable said in recent blog post on Wednesday.
Schneider released a security bulletin in April with more information on the vulnerabilities and customer recommendations for upgrades. Customers running older versions of the software (i.e., v8.1 or prior) are affected and should upgrade to InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 as soon as possible.
InduSoft Web Studio software provides automation building blocks to develop Human Machine Interfaces (HMIs), SCADA systems and embedded instrumentation solutions. InTouch Machine Edition is a highly scalable, flexible HMI designed to provide everything from advanced HMI applications to embedded devices with small footprint.
InduSoft Web Studio and InTouch Machine Edition are used in many industries worldwide, including Manufacturing, Oil and Gas, Water and Wastewater, Building Automation, Automotive, Wind and Solar Power, according to Schneider.