Full Report
The vulnerability could allow an attacker to force the software to crash or to execute arbitrary code
Analysis Summary
# Vulnerability: Remote Code Execution in Schneider Electric IGSS
## CVE Details
- **CVE ID:** CVE-2019-12051
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
## Affected Systems
- **Products:** Schneider Electric Interactive Graphical SCADA System (IGSS)
- **Versions:** IGSS Version 14 (and prior versions)
- **Configurations:** Systems where the Data Server (IGSSdata.exe) is running and accessible over the network.
## Vulnerability Description
The vulnerability is a memory corruption flaw (specifically a stack-based buffer overflow) existing within the `IGSSdata.exe` component of the Schneider Electric IGSS software. The flaw occurs when the application improperly handles specially crafted communication packets sent to the data server. Because the software fails to adequately validate the length of incoming data before copying it to a fixed-size buffer, a remote attacker can overwrite memory.
## Exploitation
- **Status:** PoC Available (Publicly documented by researchers/ZDI)
- **Complexity:** Low
- **Attack Vector:** Network
- **Requirement:** An attacker requires network access to the IGSS Data Server (typically TCP port 12401).
## Impact
- **Confidentiality:** High (Potential for unauthorized data access)
- **Integrity:** High (Potential for unauthorized system modification)
- **Availability:** High (Potential to crash the SCADA service or the host system)
## Remediation
### Patches
- **IGSS Version 14:** Update to the latest version via the IGSS Update tool or download the fix from the vendor portal.
- **Legacy Versions:** Schneider Electric recommends upgrading to Version 14 and applying the latest updates.
### Workarounds
- **Network Segmentation:** Restrict access to the IGSS network. Ensure that only authorized workstations can communicate with the IGSS Data Server.
- **Firewall Filtering:** Block or restrict access to TCP port 12401 from outside the trusted industrial control system (ICS) environment.
- **Principle of Least Privilege:** Run the IGSS services with the minimum required user permissions to limit the scope of a potential compromise.
## Detection
- **Indicators of Compromise:** Unexplained crashes of `IGSSdata.exe`; unusual spikes in traffic on port 12401; presence of shellcode signatures in network traffic logs.
- **Detection Methods:**
- Use Intrusion Detection Systems (IDS) with rules targeting CVE-2019-12051.
- Monitor application logs for segmentation faults or critical errors related to memory access.
## References
- **Vendor Advisory:** hxxps[://]www[.]se[.]com/ww/en/download/document/SEVD-2019-162-01/
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/07/16/dangerous-vulnerability-in-the-igss-system/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-12051