Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Schneider Electric IGSS Data Server Multiple Vulnerabilities

Critical

Synopsis

Tenable found multiple vulnerabilities in Schneider Electric IGSS data server (IGSSdataServer.exe) v15.0.0.21286.

1) Integer Overflow

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An integer overflow condition exists when IGSSdataServer.exe appends an incoming request to a heap-based buffer that already contains a request. The issue results from the lack of proper validation of user-supplied data before performing memory allocation. An unauthenticated remote attacker can exploit this, via multiple specially crafted messages, to cause heap-based buffer overflow, leading to denial of service and potentially remote code execution.

The following code snippet shows the vulnerability:

IGSSdataServer.exe v15.0.0.21286
<..snip...>
.text:0049FA86  mov     ecx, [eax+FILES.curDataSize] ; attacker-controlled
.text:0049FA89  mov     edx, [ebp+pbMsgBody]
.text:0049FA8C  add     ecx, [edx+FILES_MSG_BODY.cbData] ; attacker-controlled
.text:0049FA8C                               ; int32 overflow -> small heap buf allocated
.text:0049FA92  push    ecx
.text:0049FA93  mov     eax, [ebp+obj]
.text:0049FA96  mov     ecx, [eax+FILES.pbData]
.text:0049FA99  push    ecx
.text:0049FA9A  call    ds:realloc
.text:0049FAA0  add     esp, 8
.text:0049FAA3  mov     edx, [ebp+obj]
.text:0049FAA6  mov     [edx+FILES.pbData], eax
.text:0049FAA9  mov     eax, [ebp+obj]
.text:0049FAAC  cmp     [eax+FILES.pbData], 0
.text:0049FAB0  jz      short loc_49FAF5
.text:0049FAB2  mov     ecx, [ebp+pbMsgBody]
.text:0049FAB5  mov     edx, [ecx+FILES_MSG_BODY.cbData]
.text:0049FABB  push    edx
.text:0049FABC  mov     eax, [ebp+pbMsgBody]
.text:0049FABF  add     eax, FILES_MSG_BODY.data
.text:0049FAC4  push    eax
.text:0049FAC5  mov     ecx, [ebp+obj]
.text:0049FAC8  mov     edx, [ecx+FILES.pbData]
.text:0049FACB  mov     eax, [ebp+obj]
.text:0049FACE  add     edx, [eax+FILES.curDataSize]
.text:0049FAD1  push    edx
.text:0049FAD2 copy large amount of data to the small
.text:0049FAD2 heap buffer -> buffer overflow
.text:0049FAD2  call    memcpy
<...snip...>

POC:

python3 igss_dataserver_int32_overflow.py -t <target> -p 12401
python3 igss_dataserver_int32_overflow.py -t <target> -p 12401
Traceback (most recent call last):
File "/work/0day/igss_dataserver_int32_overflow.py", line 42, in <module>
s.connect((target, port))
ConnectionRefusedError: [Errno 111] Connection refused

2) Heap-based Buffer Over-read Memory Leak DoS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

There are multiple paths where an unauthenticated remote attacker can force IGSSdataServer.exe to allocate a large amount of memory to store attacker-controlled data. The attacker can supply a small amount of data to cause a buffer over-read condition that would generate a memory read access violation, which is handled by an exception handler implemented in IGSSdataServer.exe. However, the exception handler does not release the memory allocated by the attacker.

The attacker can repeatedly send a specially crafted message to IGSSdataServer.exe to exhaust its memory, potentially resulting in denial of service.

POC:

  • Run: python3 igss_dataserver_memleak.py -t <target> -p 12401
  • Watch: Data Server memory usage in IGSS Master -> Runtime and Diagnostics -> Detailed Status
  • Look for server log entry: FetchControl_FILES::appendRequest. Out of memory

Solution

Update to IGSS Data Server version 15.0.0.22021 or higher

Proof of Concept

https://github.com/tenable/poc/blob/master/SchneiderElectric/IGSS/igss_dataserver_int32_overflow.py
https://github.com/tenable/poc/blob/master/SchneiderElectric/IGSS/igss_dataserver_memleak.py

Disclosure Timeline

November 15, 2021 - Vulnerabilities discovered
December 3, 2021 - Vulnerabilities reported to vendor
December 6, 2021 - Vendor confirmed receipt of report and provided reference IDs 5617 and 5618
December 10, 2021 - Vendor informed Tenable that both vulnerabilities have been confirmed and they are working on an action plan for each
February 3, 2022 - Vendor shares draft security notification planned to be released February 8
February 7, 2022 - Tenable discovers patch and security notification are already publicly available

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2022-02
CVSSv3 Base / Temporal Score:
9.8 / 8.5
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Affected Products:
Schneider Electric IGSS Data Server <= V15.0.0.22020
Risk Factor:
Critical

Advisory Timeline

February 7, 2021 - Advisory published

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training