Doc ID                : ADV234
Version              : 3.0
Status                : Published
Published date : 02/11/2015
Categories  : Foxboro Evo
I/A Series
Last Modified date : 03/05/2015

Customer Advisory
Network Time Protocol (NTP) Vulnerability
March 05, 2015


Schneider Electric is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service.

Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Schneider-Electric recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.

Potential Security Vulnerability:
It is recognized that the global threat environment is constantly changing and we are committed to helping our customers protect the security of their installations. We have reviewed the issue described in this Customer Advisory and determined that, if no action is taken, there is potential security vulnerability that could allow an attacker to compromise the integrity, availability, or confidentiality of a product. We strongly advise customers to take note of the actions recommended, to test such actions or patches on non-production systems as able, prior to deployment into production environments. This approach is recommended in order to minimize risk and exposure to announced vulnerabilities.

This advisory applies to all Foxboro Evo™ Process Automation System and I/A Series® MESH Control Network users.

SITUATION
On December 19, 2014, the CERT organization released Vulnerability Note (VU#852879) “NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities”. Vulnerability CVE-2014-9295 was added to the National Vulnerability Database on the December 19, 2014 and given a CVSS Base Score of 7.5 (HIGH) and an Exploitability Subscore of 10.0.

Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function.

SYMPTOMS
This NTP software is used in Schneider Electric Foxboro Evo control networks. There are no known exploits of this vulnerability on Foxboro Evo systems at this time.

ACTIONS OR RESOLUTIONS
Schneider Electric has issued a Quick Fix (QF1253717) to incorporate the latest released software from the NTP Project for the following platforms:

NOTE: This advisory will be updated once the fix has been made available.

For customers using older versions of I/A Series System software we recommend updating your system to one of the versions listed above and applying the QF at your earliest convenience. In the interim, to mitigate this NTP vulnerability:

Supporting Information
Updated March 5, 2015: added QF1253717

FOR INFORMATION
If you have any questions regarding this article, please contact your local Service Representative or an Schneider Electric Support Center at:

GCS Center America's GCS Asia Pacific GCS EMEA GCS
Location Foxboro MA USA Shanghai Baarn NL
Phone +1-866-746-6477 +86 21 37180086  +31-3554-84125
Internationally +1-508-549-2424    
Fax +1-508-549-4999 +86 21 37180196 +31-3554-84230
Email America's GCS Asia Pacific GCS EMEA GCS

Regards,

John Petty
Director,
Global Customer Support

Distribution to Schneider Electric Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.

Advisory #: 2015007abi Rev 3

©Schneider Electric. All rights reserved