Schneider Electric InduSoft Web Studio < 8.0 SP2 Patch 1 Unspecified Remote Command Execution (LFSEC00000121)

Critical Nessus Plugin ID 104101

Synopsis

The InduSoft Web Studio software running on the remote host is affected by an information disclosure vulnerability.

Description

According to its self-reported version, the Schneider Electric InduSoft Web Studio software running on the remote host is prior to 8.0 SP2 Patch 1. It is, therefore, affected by an unspecified flaw that allow a remote attacker to bypass authentication mechanisms and execute arbitrary commands with elevated privileges.

Solution

Upgrade to Schneider Electric InduSoft Web Studio 8.0 SP2 Patch 1 or later.

See Also

http://www.nessus.org/u?c6e320e3

http://www.nessus.org/u?83305c3d

https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01

Plugin Details

Severity: Critical

ID: 104101

File Name: scada_indusoft_web_studio_LFSEC00000121.nasl

Version: 1.3

Type: remote

Family: SCADA

Published: 2017/10/23

Modified: 2018/07/27

Dependencies: 84262

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:schneider_electric:indusoft_web_studio

Required KB Items: installed_sw/InduSoft Web Studio HTTP Server

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/09/15

Vulnerability Publication Date: 2017/09/15

Reference Information

CVE: CVE-2017-13997

ICSA: 17-264-01