Multiple vulnerabilities in Schneider Electric Floating License Manager

Dangerous vulnerabilities have been identified in the Schneider Electric Floating License Manager platform. Exploiting these vulnerabilities enables remote attackers to cause denial-of-service conditions, execute arbitrary code with system level privileges on the target system and redirect users to arbitrary websites for phishing attacks.

The security issues identified are associated with three vulnerabilities in Flexera Publisher – third-party software that is part of the Floating License Manager:

• CVE-2016-2177 (CVSS v.3 base score of 9.8) – heap-based buffer overflow caused by OpenSSL incorrectly using pointer arithmetic for heap-buffer boundary checks;
• CVE-2016-10395 (CVSS score of 7.8) – improper restriction of operations within the bounds of a memory buffer, causing out-of-bounds memory read access;
• CVE-2017-5571 (CVSS score of 6.1) – open redirect of user requests to a URL different from the one requested.

These vulnerabilities affect the following Schneider Electric products:

• SCADA Expert Vijeo Citect / CitectSCADA Versions 7.30, 7.40;
• CitectSCADA Version 2015, 2016;
• Vijeo Historian/CitectHistorian Versions 4.40, 4.50;
• CitectHistorian Version 2016;
• Citect Anywhere;
• PlantStruxure PES V4.3 SP1 and prior versions;
• EcoStruxure Modicon Builder V3.0 and earlier versions.

The following solutions are only affected by CVE-2016-10395:

• EcoStruxure Power Monitoring Expert 8.2 (Standard, DC, HC Editions),
• StruxureWare Power Monitoring Expert 8.1 (Standard, DC, HC Editions),
• StruxureWare Power Monitoring Expert 8.0 (Standard, DC, HC, Buildings Editions),
• StruxureWare Power Monitoring Expert 7.2.x,
• Energy Expert 1.x (formerly Power Manager)
• EcoStruxure Power SCADA Operations 8.x (formerly PowerSCADA Expert) – only with Advanced Reports and Dashboards Module.

The vendor has released updates that close the above vulnerabilities.

Sources: ICS-CERT, Schneider Electric