Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Schneider Electric IGSS Data Server Multiple Vulnerabilities

Critical

Synopsis

Tenable found multiple vulnerabilities in Schneider Electric IGSS data server (IGSSdataServer.exe) v15.0.0.21286.

1) Integer Overflow

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An integer overflow condition exists when IGSSdataServer.exe appends an incoming request to a heap-based buffer that already contains a request. The issue results from the lack of proper validation of user-supplied data before performing memory allocation. An unauthenticated remote attacker can exploit this, via multiple specially crafted messages, to cause heap-based buffer overflow, leading to denial of service and potentially remote code execution.

The following code snippet shows the vulnerability:

IGSSdataServer.exe v15.0.0.21286
<..snip...>
.text:0049FA86  mov     ecx, [eax+FILES.curDataSize] ; attacker-controlled
.text:0049FA89  mov     edx, [ebp+pbMsgBody]
.text:0049FA8C  add     ecx, [edx+FILES_MSG_BODY.cbData] ; attacker-controlled
.text:0049FA8C                               ; int32 overflow -> small heap buf allocated
.text:0049FA92  push    ecx
.text:0049FA93  mov     eax, [ebp+obj]
.text:0049FA96  mov     ecx, [eax+FILES.pbData]
.text:0049FA99  push    ecx
.text:0049FA9A  call    ds:realloc
.text:0049FAA0  add     esp, 8
.text:0049FAA3  mov     edx, [ebp+obj]
.text:0049FAA6  mov     [edx+FILES.pbData], eax
.text:0049FAA9  mov     eax, [ebp+obj]
.text:0049FAAC  cmp     [eax+FILES.pbData], 0
.text:0049FAB0  jz      short loc_49FAF5
.text:0049FAB2  mov     ecx, [ebp+pbMsgBody]
.text:0049FAB5  mov     edx, [ecx+FILES_MSG_BODY.cbData]
.text:0049FABB  push    edx
.text:0049FABC  mov     eax, [ebp+pbMsgBody]
.text:0049FABF  add     eax, FILES_MSG_BODY.data
.text:0049FAC4  push    eax
.text:0049FAC5  mov     ecx, [ebp+obj]
.text:0049FAC8  mov     edx, [ecx+FILES.pbData]
.text:0049FACB  mov     eax, [ebp+obj]
.text:0049FACE  add     edx, [eax+FILES.curDataSize]
.text:0049FAD1  push    edx
.text:0049FAD2 copy large amount of data to the small
.text:0049FAD2 heap buffer -> buffer overflow
.text:0049FAD2  call    memcpy
<...snip...>

POC:

python3 igss_dataserver_int32_overflow.py -t <target> -p 12401
python3 igss_dataserver_int32_overflow.py -t <target> -p 12401
Traceback (most recent call last):
File "/work/0day/igss_dataserver_int32_overflow.py", line 42, in <module>
s.connect((target, port))
ConnectionRefusedError: [Errno 111] Connection refused

2) Heap-based Buffer Over-read Memory Leak DoS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

There are multiple paths where an unauthenticated remote attacker can force IGSSdataServer.exe to allocate a large amount of memory to store attacker-controlled data. The attacker can supply a small amount of data to cause a buffer over-read condition that would generate a memory read access violation, which is handled by an exception handler implemented in IGSSdataServer.exe. However, the exception handler does not release the memory allocated by the attacker.

The attacker can repeatedly send a specially crafted message to IGSSdataServer.exe to exhaust its memory, potentially resulting in denial of service.

POC:

  • Run: python3 igss_dataserver_memleak.py -t <target> -p 12401
  • Watch: Data Server memory usage in IGSS Master -> Runtime and Diagnostics -> Detailed Status
  • Look for server log entry: FetchControl_FILES::appendRequest. Out of memory

Solution

Update to IGSS Data Server version 15.0.0.22021 or higher

Proof of Concept

https://github.com/tenable/poc/blob/master/SchneiderElectric/IGSS/igss_dataserver_int32_overflow.py
https://github.com/tenable/poc/blob/master/SchneiderElectric/IGSS/igss_dataserver_memleak.py

Disclosure Timeline

November 15, 2021 - Vulnerabilities discovered
December 3, 2021 - Vulnerabilities reported to vendor
December 6, 2021 - Vendor confirmed receipt of report and provided reference IDs 5617 and 5618
December 10, 2021 - Vendor informed Tenable that both vulnerabilities have been confirmed and they are working on an action plan for each
February 3, 2022 - Vendor shares draft security notification planned to be released February 8
February 7, 2022 - Tenable discovers patch and security notification are already publicly available

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID
TRA-2022-02
CVSSv3 Base / Temporal Score
9.8 / 8.5
CVSSv3 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Affected Products
Schneider Electric IGSS Data Server <= V15.0.0.22020
Risk Factor
Critical

Advisory Timeline

February 7, 2021 - Advisory published
tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training