Full Report
Critical vulnerabilities have been identified in SCADA/HMI solutions InduSoft Web Studio and InTouch Machine Edition, and in the Triconex Tricon model 3008 Safety Instrumented System
Analysis Summary
Based on the security advisories from Schneider Electric regarding InduSoft Web Studio, InTouch Machine Edition, and the Triconex Tricon MP3008, here is the technical summary of the vulnerabilities.
# Vulnerability: Critical Buffer Overflow and Logic Flaws in Schneider Electric Industrial Solutions
---
## CVE Details (InduSoft & InTouch)
- **CVE ID:** CVE-2018-7790, CVE-2018-7791, CVE-2018-7792
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
## CVE Details (Triconex Tricon)
- **CVE ID:** CVE-2018-7798
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-321 (Use of Hard-coded Cryptographic Key)
---
## Affected Systems
- **Products:**
1. InduSoft Web Studio
2. InTouch Machine Edition
3. Triconex Tricon Communication Module (Tricon MP3008)
- **Versions:**
- InduSoft Web Studio v8.1 and prior
- InTouch Machine Edition v8.1 and prior
- Tricon MP3008 (Models used in Tricon v10.0–10.4 systems)
- **Configurations:** Systems with remote management or network-based HMI communication enabled.
---
## Vulnerability Description
- **SCADA/HMI (InduSoft/InTouch):** A stack-based buffer overflow exists in the way these solutions handle specific craftily-designed packets. An attacker can send a malicious packet to the software's listening port (typically TCP 1234), allowing for remote code execution (RCE) under the context of the user running the application.
- **Triconex Tricon:** The vulnerability involves the use of hard-coded cryptographic keys within the communication module. This could allow an attacker to intercept or spoof communications between the workstation and the safety controller.
---
## Exploitation
- **Status:** PoC available for SCADA vulnerabilities; Triconex flaws were highlighted following the "TRITON/TRISIS" malware analysis.
- **Complexity:** Low (SCADA RCE) / Medium (Triconex)
- **Attack Vector:** Network
---
## Impact
- **Confidentiality:** High (Full access to system files)
- **Integrity:** High (Ability to modify HMI logic or safety parameters)
- **Availability:** High (Potential for system crash or safety shutdown)
---
## Remediation
### Patches
- **InduSoft Web Studio:** Upgrade to v8.1 SP1 or later.
- **InTouch Machine Edition:** Upgrade to v8.1 SP1 or later.
- **Triconex:** Schneider Electric has released security updates for affected Tricon firmware. Users should contact Schneider Electric support for the specific formal validated versions for their safety site.
### Workarounds
- Protect the SCADA/HMI environment using firewalls to block port **TCP 1234** from unauthorized external access.
- Ensure Triconex safety systems are on a strictly isolated "Safety Zone" network, physically separated from the corporate and untrusted networks.
- Disable unused services and restrict access to the "Program" mode on the Tricon controller key switch.
---
## Detection
- **Indicators of Compromise:** Unusual traffic on TCP port 1234; unexpected service restarts on the HMI server.
- **Detection methods:** Use Intrusion Detection Systems (IDS) with signatures for Schneider Electric proprietary protocols (e.g., SuiteLink or EcoStruxure-related protocols). Monitor for unauthorized attempts to read/write to the safety controller.
---
## References
- Schneider Electric Advisory (InduSoft): hxxps[://]www[.]se[.]com/ww/en/download/document/SEVD-2018-102-01/
- Schneider Electric Advisory (Triconex): hxxps[://]www[.]se[.]com/ww/en/download/document/SENV-2018-001-01/
- Kaspersky ICS-CERT: hxxps[://]ics-cert[.]kaspersky[.]com/publications/blog/2018/04/19/critical-vulnerabilities-in-schneider-electric-industrial-solutions/