Full Report
Critical and severe vulnerabilities have been identified in GP-Pro EX programming environment, Zelio Soft software and IIoT Monitor platform
Analysis Summary
Based on the provided documentation regarding the vulnerabilities identified in Schneider Electric’s industrial software ecosystem (GP-Pro EX, Zelio Soft, and IIoT Monitor), here is the summarized technical breakdown.
# Vulnerability: Multiple Flaws in Schneider Electric Industrial Solutions
## CVE Details
*Note: This advisory covers several distinct vulnerabilities.*
- **CVE ID:** CVE-2018-7811, CVE-2018-7821, CVE-2018-7822
- **CVSS Score:** 7.8 - 9.8 (High to Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:**
- GP-Pro EX (HMI Development Software)
- Zelio Soft 2 (Smart Relay Programming Software)
- IIoT Monitor (Industrial Internet of Things monitoring platform)
- **Versions:**
- GP-Pro EX: All versions prior to v4.08.200
- Zelio Soft 2: All versions prior to v5.1
- IIoT Monitor: All versions prior to v1.2.1
- **Configurations:** Systems where these applications are used to open project files from untrusted sources or are exposed to network-based configuration updates.
## Vulnerability Description
The vulnerabilities primarily involve memory corruption and improper input validation.
- In **GP-Pro EX**, a stack-based buffer overflow can be triggered when processing specially crafted project files.
- In **Zelio Soft 2**, a vulnerability exists in the handling of `.zls` project files, potentially allowing remote code execution if a user is enticed to open a malicious file.
- In **IIoT Monitor**, inadequate validation of input could allow an attacker to achieve unauthorized access or disrupt monitoring services.
## Exploitation
- **Status:** PoC available (Information regarding these flaws has been disclosed in security research circles, though active exploitation in the wild at the time of publication was not confirmed).
- **Complexity:** Medium (Often requires user interaction, such as opening a malicious file).
- **Attack Vector:** Network / Local (File-based delivery).
## Impact
- **Confidentiality:** High (Potential for data exfiltration via code execution).
- **Integrity:** High (Unauthorized modification of HMI/PLC logic).
- **Availability:** High (Potential to crash the programming environment or the linked industrial controller).
## Remediation
### Patches
- **GP-Pro EX:** Upgrade to version **v4.08.200** or later.
- **Zelio Soft 2:** Upgrade to version **v5.1** or later.
- **IIoT Monitor:** Upgrade to version **v1.2.1** or later.
### Workarounds
- **Least Privilege:** Run the software under a restricted user account to limit the impact of a potential compromise.
- **File Integrity:** Do not open project files (`.prx`, `.zls`) received from untrusted sources or via email.
- **Network Segmentation:** Ensure that engineering workstations are not directly connected to the public internet.
## Detection
- **Indicators of Compromise:** Unusual application crashes when loading specific project files; unexpected outbound network traffic from engineering workstations.
- **Detection methods and tools:** Use ICS-aware endpoint protection to monitor for buffer overflow attempts and use file-hashing to verify the integrity of project files.
## References
- Schneider Electric Security Notifications: hxxps[://]www[.]se[.]com/ww/en/download/document/SEVD-2018-354-01/
- Schneider Electric Security Notifications: hxxps[://]www[.]se[.]com/ww/en/download/document/SEVD-2018-354-02/
- Kaspersky ICS CERT: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/01/15/vulnerabilities-in-schneider-electric-industrial-solutions/