Schneider Electric InduSoft Web Studio < 7.1.3.5 Local Plaintext Password Information Disclosure (SEVD-2015-100-01)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The InduSoft Web Studio software running on the remote host is
affected by an information disclosure vulnerability.

Description :

According to its self-reported version, the Schneider Electric
InduSoft Web Studio software running on the remote host is prior to
7.1.3.5. It is, therefore, affected by an information disclosure
vulnerability due to passwords for project windows being stored as
plaintext in configuration files. A local attacker can exploit this to
gain access to access to sensitive information.

See also :

http://www.nessus.org/u?0db03e3b
http://www.nessus.org/u?3b3d8571
https://ics-cert.us-cert.gov/advisories/ICSA-15-211-01

Solution :

Upgrade to Schneider Electric InduSoft Web Studio 7.1.3.5 or later.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

Family: SCADA

Nessus Plugin ID: 85403 ()

Bugtraq ID: 76127

CVE ID: CVE-2015-1009

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now