InduSoft Web Studio < v8.1 + SP1 RCE

Critical Nessus Network Monitor Plugin ID 700241

Synopsis

A vulnerable version of InduSoft Web Studio has been detected.

Description

InduSoft Web Studio versions prior to v8.1 + SP1 contain InduSoft Web Studio contain a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. The code would be executed under high privileges and could lead to a complete compromise of the InduSoft Web Studio server machine.

Solution

Upgrade to InduSoft WebStudio v8.1 SP1.

See Also

http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000125

Plugin Details

Severity: Critical

ID: 700241

Family: SCADA

Published: 2018/04/16

Modified: 2018/04/16

Dependencies: 8031

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.3

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:indusoft:web_studio

Patch Publication Date: 2018/04/06

Vulnerability Publication Date: 2018/04/06