Doc ID                : ADV277
Version              : 1.0
Status                : Published
Published date : 6/22/2017
Categories  : I/A Series
FCS (InFusion)
Foxboro Evo
SECURITY ISSUE
Last Modified date :  

Customer Advisory
Foxboro Evo Wonderware Historian Client: XML Injection Vulnerability
June 22, 2017

 

Schneider Electric is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service.   

Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Schneider Electric recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.

This advisory applies to all versions of InFusion™ Control Edition, Foxboro® Control Software (FCS), and Foxboro Evo™ Control Software.

SITUATION

The Foxboro Evo Historian Client aaTrend provides historized data visualization and trending capabilities.  The display configuration settings for aaTrend are stored in XML format.  When aaTrend.exe is loading/parsing the configuration settings for a particular display, it is susceptible to XML injection attacks. 

Social engineering is required for this attack to be successful.  A legitimate user of the system would have to be coerced to select a malicious XML settings file to load.

No known public exploits specifically target this vulnerability.

CVSS 6.6 | CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

SYMPTOMS

Successful exploitation of this vulnerability could allow a malicious entity to cause denial of service of trend display or to disclose arbitrary files from the local file system to a malicious web site.

ACTIONS OR RESOLUTIONS

Schneider Electric recommends that users take the following measures to protect themselves from social engineering attacks:

  1. Do not click web links or open unsolicited attachments in email messages.
  2. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
  3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

In addition, Schneider Electric recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability.  Specifically users should:

·         Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

A Quick Fix to address this issue for Control Software 6.x is estimated to be available by end of July 2017.

Supporting Information

 Advisory (ICSA-17-122-01) "Schneider Electric Wonderware Historian Client"FOR INFORMATION

If you have any questions regarding this article, please contact your local Service Representative or a Schneider Electric Support Center at:  
 

GCS Center

America's GCS

Asia Pacific GCS

EMEA GCS

Location

Foxboro MA USA

Shanghai

Baarn NL

Phone

+1-866-746-6477

+86 21 37180086 

+31-3554-84125

Internationally

+1-508-549-2424

 

 

Fax

+1-508-549-4999

+86 21 37180196

+31-3554-84230

Email

America's GCS

Asia Pacific GCS

EMEA GCS

 

Regards,

John Petty
Director,
Global Customer Support


Distribution to Schneider Electric Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.
 

 

Advisory#  2017010abi

© Schneider Electric. All rights reserved