Schneider Electric InduSoft Web Studio < 8.0 SP2 Patch 1 Unspecified Remote Command Execution (LFSEC00000121)

Critical Nessus Plugin ID 104101

Synopsis

The InduSoft Web Studio software running on the remote host is affected by an information disclosure vulnerability.

Description

According to its self-reported version, the Schneider Electric InduSoft Web Studio software running on the remote host is prior to 8.0 SP2 Patch 1. It is, therefore, affected by an unspecified flaw that allow a remote attacker to bypass authentication mechanisms and execute arbitrary commands with elevated privileges.

Solution

Upgrade to Schneider Electric InduSoft Web Studio 8.0 SP2 Patch 1 or later.

See Also

http://www.nessus.org/u?e526f661

http://www.nessus.org/u?83305c3d

https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01

Plugin Details

Severity: Critical

ID: 104101

File Name: scada_indusoft_web_studio_LFSEC00000121.nasl

Version: 1.4

Type: remote

Family: SCADA

Published: 2017/10/23

Modified: 2018/11/15

Dependencies: 84262

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:schneider_electric:indusoft_web_studio

Required KB Items: installed_sw/InduSoft Web Studio HTTP Server

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/09/15

Vulnerability Publication Date: 2017/09/15

Reference Information

CVE: CVE-2017-13997

ICSA: 17-264-01