Schneider Electric’s industrial software business and AVEVA have combined to create a new global leader in engineering and industrial software. For more details click here.
English (United States)
Call us! 512-349-0334 or (877) INDUSOFT

Security Updates and Hotfixes

Below you will find a list of various hotfixes for InduSoft Web Studio. They are version dependent so please choose only the hotfixes relevant to your version.

Click here to view the release notes for recent InduSoft Web Studio versions.

You can also request any of the hotfixes below by phone at (US) 512.349.0334 or by fax 512.349.0375.

AVEVA Security Bulletin LFSEC00000128

Title
InduSoft Web Studio and InTouch Machine Edition – Remote Code Execution Vulnerability 

Rating
Critical

Published By
AVEVA Software Security Response Center


Overview

AVEVA Software, LLC. (“AVEVA”) has created a security update to address vulnerabilities in 

  • InduSoft Web Studio v8.1 and v8.1 SP1
  • InTouch Machine Edition 2017 v8.1 and v8.1 SP1

The vulnerabilities, if exploited against the TCP/IP Server Task, could allow an unauthenticated user to remotely execute code with the same privileges as that of the InduSoft Web Studio or InTouch Machine Edition runtime. If the TCP/IP Server Task is disabled, InduSoft Web Studio is not vulnerable.

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

Recommendations

Customers using InduSoft Web Studio v8.1 SP1 are affected and should apply InduSoft Web Studio Hotfix 81.1.00.08 as soon as possible. Customers using InduSoft Web Studio v8.1 are also affected and should first upgrade to InduSoft Web Studio v8.1 SP1 and then apply the hotfix.

Customers using InTouch Machine Edition 2017 v8.1 SP1 are affected and should apply InTouch Machine Edition Hotfix 81.1.00.08 as soon as possible. Customers using InTouch Machine Edition 2017 v8.1 are also affected and should first upgrade to InTouch Machine Edition 2017 v8.1 SP1 and then apply the hotfix.

To identify which version of InduSoft Web Studio or InTouch Machine Edition you have installed:

  • Windows Desktop or Server operating system: Navigate to Windows Programs and Features, locate the “InduSoft Web Studio” or “InTouch Machine Edition” entries to review the displayed installed version.

  • On a Windows Embedded operating system: navigate to the Bin folder in the installation location of InduSoft Web Studio or InTouch Machine Edition and open the file “CEView.ini”. The installed version can be observed from the “version=*.*.*” attribute within the file.

Vulnerability Details

InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to read, write tags and monitor alarms and events. A remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. The code would be executed under the privileges of the Indusoft Web Studio or InTouch Machine Edition runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Machine Edition server machine.

Security Update

The following Security Updates address the vulnerabilities outlined in this Security Bulletin.

July 13, 2018: InduSoft Web Studio Hotfix 81.1.00.08
July 13, 2018: InTouch Machine Edition Hotfix 81.1.00.08

Affected Products, Components, and Corrective Security Patches

The following table identifies the currently supported products affected. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below:

Product and Component

Supported Operating System

Security Impact

Severity Rating

Software Security Update

InduSoft Web Studio v8.1 SP1

Multiple, Embedded

Confidentiality, Integrity, Availability

Critical

Download Hotfix

InTouch Machine Edition 2017 v8.1 SP1

Multiple, Embedded

Confidentiality, Integrity, Availability

Critical

Download Hotfix


Vulnerability Characterization and CVSSv3 Rating

CWE-121: Stack-based Buffer Overflow

Acknowledgements

AVEVA would like to thank:

  • Tenable Research for the discovery and responsible disclosure of this vulnerability.

  • ICS-Cert for coordination and advisories.

Support

For information on how to reach AVEVA support for your product, please refer to this link: AVEVA Software Global Customer Support.

If you discover errors or omissions in this Security Notification, please report the finding to Support.

AVEVA Security Central

For the latest security information and security updates, please visit Security Central.

Cyber Security Standards and Best Practices

For information regarding how to secure Industrial Control Systems please reference NIST SP800-82r2.

NVD Common Vulnerability Scoring System (CVSS v3)

The U.S. Department of Homeland Security has adopted the common Vulnerability Scoring System (CVSS v3) that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.  CVSS v3 produces a numerical score as well as a textual representation of that score reflecting the severity of a vulnerability.  Scores range from 0.0 (no impact) to a maximum of 10.0 (critical impact with minimal effort to exploit). For additional information please refer to the CVSSv3 specifications.

Disclaimer

THE INFORMATION PROVIDED HEREIN IS PROVIDED “AS-IS” AND WITHOUT WARRANTY OF ANY KIND. AVEVA AND ITS AFFILIATES, PARENT AND SUBSIDIARIES DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY AVEVA, ITS DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES WILL CREATE A WARRANTY AND CUSTOMER MAY NOT RELY ON ANY SUCH INFORMATION OR ADVICE.

AVEVA DOES NOT WARRANT THAT THE SOFTWARE WILL MEET CUSTOMER’S REQUIREMENTS, THAT THE SOFTWARE WILL OPERATE IN COMBINATIONS OTHER THAN AS SPECIFIED IN AVEVA DOCUMENTATION OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE.

IN NO EVENT WILL AVEVA OR ITS SUPPLIERS, DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY CUSTOMER OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF AVEVA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. AVEVA LIABILITY FOR DAMAGES AND EXPENSES HEREUNDER OR RELATING HERETO (WHETHER IN AN ACTION IN CONTRACT, TORT OR OTHERWISE) WILL IN NO EVENT EXCEED THE AMOUNT OF ONE HUNDRED DOLLARS ($100 USD).


Security Bulletin LFSEC00000125

Title
InduSoft Web Studio and InTouch Machine Edition – Remote Code Execution Vulnerability 

Rating
Critical

Published By
Schneider Electric Software Security Response Center


Overview

Schneider Electric Software, LLC (“Schneider Electric Software”) has created a security update to address vulnerabilities in 

  • InduSoft Web Studio v8.1 and prior versions
  • InTouch Machine Edition 2017 v8.1 and prior versions

The vulnerabilities, if exploited, could allow an un-authenticated malicious entity to remotely execute code with high privileges.

Schneider Electric Software recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

Recommendations

Customers using InduSoft Web Studio v8.1 or prior versions are affected and should upgrade and apply InduSoft Web Studio v8.1 SP1 as soon as possible. 

Customers using InTouch Machine Edition 2017 v8.1 or prior versions are affected and should upgrade and apply InTouch Machine Edition 2017 v8.1 SP1 as soon as possible. 

Background

InduSoft Web Studio is a powerful collection of tools that provide all the automation building blocks to develop HMIs, SCADA systems and embedded instrumentation solutions. InTouch Machine Edition is a highly scalable, flexible HMI designed to provide everything from advanced HMI applications to small-footprint embedded devices. InduSoft Web Studio and InTouch Machine Edition are used in many industries worldwide, including Manufacturing, Oil and Gas, Water and Wastewater, Building Automation, Automotive, Wind and Solar Power.

To identify which version of InduSoft Web Studio or InTouch Machine Edition you have installed:

  • On a Windows Desktop or Server operating system, navigate to Windows Programs and Features, locate the “InduSoft Web Studio” or “InTouch Machine Edition” entries and observe the displayed installed version.

  • On a Windows Embedded operating system, navigate to the Bin folder in the installation location of InduSoft Web Studio or InTouch Machine Edition and open the file “CEView.ini”. The installed version can be observed from the “version=*.*.*” attribute within the file. 

Vulnerability Details
InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to read, write tags and monitor alarms and events. A remote malicious entity could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. The code would be executed under high privileges and could lead to a complete compromise of the InduSoft Web Studio or InTouch Machine Edition server machine.

Security Update
The following Security Updates address the vulnerabilities outlined in this Security Bulletin.

April 6, 2018: InduSoft Web Studio v8.1 SP1
April 6, 2018: InTouch Machine Edition 2017 v8.1 SP1

Affected Products, Components, and Corrective Security Patches
The following table identifies the currently supported products affected. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below:

>

Product and Component

Supported Operating System

Security Impact

Severity Rating

Software Security Update

InduSoft Web Studio v8.1 or prior

Multiple, Embedded

Confidentiality, Integrity, Availability

Critical

http://download.indusoft.com/81.1.0/IWS81.1.0.zip

InTouch Machine Edition 2017 v8.1 prior

Multiple, Embedded

Confidentiality, Integrity, Availability

Critical

https://gcsresource.schneider-electric.com/tracking/ConfirmDownload.aspx?id=22530


Vulnerability Characterization and CVSSv3 Rating

CWE-121: Stack-based Buffer Overflow

Acknowledgements
Schneider Electric would like to thank:

  • Tenable Research for the discovery and responsible disclosure of this vulnerability.

  • ICS-Cert for coordination and advisories.

Support
For information on how to reach Schneider Electric support for your product, please refer to this link:  Schneider Electric Software Global Customer Support.

If you discover errors or omissions in this Security Notification, please report the finding to Support.

Wonderware Security Central
For the latest security information and security updates, please visit Security Central.

Cyber Security Standards and Best Practices
For information regarding how to secure Industrial Control Systems please reference NIST SP800-82r2.

NVD Common Vulnerability Scoring System (CVSS v3)
The U.S. Department of Homeland Security has adopted the common Vulnerability Scoring System (CVSS v3) that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.  CVSS v3 produces a numerical score as well as a textual representation of that score reflecting the severity of a vulnerability.  Scores range from 0.0 (no impact) to a maximum of 10.0 (critical impact with minimal effort to exploit). For additional information please refer to the CVSSv3 specifications.

Disclaimer
THE INFORMATION PROVIDED HEREIN IS PROVIDED “AS-IS” AND WITHOUT WARRANTY OF ANY KIND. SCHNEIDER ELECTRIC AND ITS AFFILIATES, PARENT AND SUBSIDIARIES (COLLECTIVELY, “SCHNEIDER ELECTRIC”)  DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY SCHNEIDER ELECTRIC, ITS DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES WILL CREATE A WARRANTY AND CUSTOMER MAY NOT RELY ON ANY SUCH INFORMATION OR ADVICE.   

SCHNEIDER ELECTRIC DOES NOT WARRANT THAT THE SOFTWARE WILL MEET CUSTOMER’S REQUIREMENTS, THAT THE SOFTWARE WILL OPERATE IN COMBINATIONS OTHER THAN AS SPECIFIED IN SCHNEIDER ELECTRIC’S DOCUMENTATION OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE. 

IN NO EVENT WILL SCHNEIDER ELECTRIC OR ITS SUPPLIERS, DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY CUSTOMER OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SCHNEIDER ELECTRIC’S LIABILITY FOR DAMAGES AND EXPENSES HEREUNDER OR RELATING HERETO (WHETHER IN AN ACTION IN CONTRACT, TORT OR OTHERWISE) WILL IN NO EVENT EXCEED THE AMOUNT OF ONE HUNDRED DOLLARS ($100 USD).

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life Is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.


Security Bulletin LFSEC00000124

Title
InduSoft Web Studio and InTouch Machine Edition – Remote Code Execution Vulnerability 

Rating
Critical

Published By
Schneider Electric Software Security Response Center


Overview

Schneider Electric Software, LLC (“Schneider Electric”) has created a security update to address vulnerabilities in 

  • InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions
  • InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions

The vulnerabilities, if exploited, could allow an un-authenticated malicious entity to remotely execute code with high privileges.

Schneider Electric recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

Recommendations

Customers using InduSoft Web Studio v8.0 SP2 Patch 1 or prior versions are affected and should upgrade and apply InduSoft Web Studio v8.1 as soon as possible. 

Customers using InTouch Machine Edition v8.0 SP2 Patch 1 or prior versions are affected and should upgrade and apply InTouch Machine Edition 2017 v8.1 as soon as possible. 

Background

InduSoft Web Studio is a powerful collection of tools that provide all the automation building blocks to develop HMIs, SCADA systems and embedded instrumentation solutions. InTouch Machine Edition is a highly scalable, flexible HMI designed to provide everything from advanced HMI applications to small-footprint embedded devices. InduSoft Web Studio and InTouch Machine Edition are used in many industries worldwide, including Manufacturing, Oil and Gas, Water and Wastewater, Building Automation, Automotive, Wind and Solar Power.

To identify which version of InduSoft Web Studio or InTouch Machine Edition you have installed:

  • On a Windows Desktop or Server operating system, navigate to Windows Programs and Features, locate the “InduSoft Web Studio” or “InTouch Machine Edition” entries and observe the displayed installed version.

  • On a Windows Embedded operating system, navigate to the Bin folder in the installation location of InduSoft Web Studio or InTouch Machine Edition and open the file “CEView.ini”. The installed version can be observed from the “version=*.*.*” attribute within the file. 

Vulnerability Details
InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to subscribe to tags and monitor their values. A remote malicious entity could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag subscription, with potential for code to be executed. The code would be executed under high privileges and could lead to a complete compromise of the InduSoft Web Studio or InTouch Machine Edition server machine.

Security Update
The following Security Updates address the vulnerabilities outlined in this Security Bulletin.

Nov 9, 2017: InduSoft Web Studio v8.1
Nov 9, 2017: InTouch Machine Edition v8.1

Affected Products, Components, and Corrective Security Patches
The following table identifies the currently supported products affected. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below:

Product and Component

Supported Operating System

Security Impact

Severity Rating

Software Security Update

InduSoft Web Studio v8.0 SP2 Patch 1 or prior

Multiple, Embedded

Confidentiality, Integrity, Availability

Critical

http://download.indusoft.com/81.0.0/IWS81.0.0.zip

InTouch Machine Edition v8.0 SP2 Patch 1 or prior

Multiple, Embedded

Confidentiality, Integrity, Availability

Critical

https://gcsresource.invensys.com/tracking/ConfirmDownload.aspx?id=22486


Vulnerability Characterization and CVSSv3 Rating

CWE-121: Stack-based Buffer Overflow

Acknowledgements
Schneider Electric would like to thank:

  • Aaron Portnoy formerly of Exodus Intelligence for the discovery and responsible disclosure of this vulnerability.

  • ICS-Cert for coordination and advisories.

Support
For information on how to reach Schneider Electric support for your product, please refer to this link:  Schneider Electric Software Global Customer Support.

If you discover errors or omissions in this Security Notification, please report the finding to Support.

Wonderware Security Central
For the latest security information and security updates, please visit Security Central.

Cyber Security Standards and Best Practices
For information regarding how to secure Industrial Control Systems please reference NIST SP800-82r2.

NVD Common Vulnerability Scoring System (CVSS v3)
The U.S. Department of Homeland Security has adopted the common Vulnerability Scoring System (CVSS v3) that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.  CVSS v3 produces a numerical score as well as a textual representation of that score reflecting the severity of a vulnerability.  Scores range from 0.0 (no impact) to a maximum of 10.0 (critical impact with minimal effort to exploit). For additional information please refer to the CVSSv3 specifications.

Disclaimer
THE INFORMATION PROVIDED HEREIN IS PROVIDED “AS-IS” AND WITHOUT WARRANTY OF ANY KIND. SCHNEIDER ELECTRIC AND ITS AFFILIATES, PARENT AND SUBSIDIARIES (COLLECTIVELY, “SCHNEIDER ELECTRIC”)  DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY SCHNEIDER ELECTRIC, ITS DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES WILL CREATE A WARRANTY AND CUSTOMER MAY NOT RELY ON ANY SUCH INFORMATION OR ADVICE.   

SCHNEIDER ELECTRIC DOES NOT WARRANT THAT THE SOFTWARE WILL MEET CUSTOMER’S REQUIREMENTS, THAT THE SOFTWARE WILL OPERATE IN COMBINATIONS OTHER THAN AS SPECIFIED IN SCHNEIDER ELECTRIC’S DOCUMENTATION OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE. 

IN NO EVENT WILL SCHNEIDER ELECTRIC OR ITS SUPPLIERS, DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY CUSTOMER OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SCHNEIDER ELECTRIC’S LIABILITY FOR DAMAGES AND EXPENSES HEREUNDER OR RELATING HERETO (WHETHER IN AN ACTION IN CONTRACT, TORT OR OTHERWISE) WILL IN NO EVENT EXCEED THE AMOUNT OF ONE HUNDRED DOLLARS ($100 USD). 


InduSoft and InTouch Machine Edition Security Bulletin LFSEC00000121

Title
InduSoft Web Studio and InTouch Machine Edition – Remote Arbitrary Command Execution Vulnerability 

Rating
Critical

Published By
Schneider Electric Software Security Response Center



Overview
Schneider Electric Software, LLC (“Schneider Electric”) has created a security update to address vulnerabilities in 

  • InduSoft Web Studio v8.0 SP2 and prior
  • InTouch Machine Edition v8.0 SP2 and prior

The vulnerabilities, if exploited, could allow an un-authenticated malicious entity to remotely execute arbitrary commands with high privileges.

Schneider Electric recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

This security bulletin announces the software security updates for

  • InduSoft Web Studio v8.0 SP2 and prior
  • InTouch Machine Edition v8.0 SP2 and prior

Recommendations
Customers using InduSoft Web Studio v8.0 SP2 or prior are affected and should upgrade and apply InduSoft Web Studio v8.0 SP2 Patch 1 as soon as possible.

Customers using InTouch Machine Edition v8.0 SP2 or prior are affected and should upgrade and apply InTouch Machine Edition v8.0 SP2 Patch 1 as soon as possible. 

Background
InduSoft Web Studio is a powerful collection of tools that provide all the automation building blocks to develop HMIs, SCADA systems and embedded instrumentation solutions. InTouch Machine Edition is a highly scalable, flexible HMI designed to provide everything from advanced HMI applications to small-footprint embedded devices. InduSoft Web Studio and InTouch Machine Edition are used in many industries worldwide, including Manufacturing, Oil and Gas, Water and Wastewater, Building Automation, Automotive, Wind and Solar Power.

To identify the version of InduSoft Web Studio you have installed, navigate to Windows Programs and Features, locate “InduSoft Web Studio” installation and check the installed version.  

Vulnerability Details
InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger an arbitrary command to be executed. The command is executed under high privileges and could lead to a complete compromise of the server machine.

Security Update
The following Security Updates address the vulnerabilities outlined in this Security Bulletin.

Sept 15, 2017: InduSoft Web Studio v8.0 SP2 Patch 1
Sept 15, 2017: InTouch Machine Edition v8.0 SP2 Patch 1 


Affected Products, Components, and Corrective Security Patches
The following table identifies the currently supported products affected. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below:

Product and Component

Supported Operating System

Security Impact

Severity Rating

Software Security Update

InduSoft Web Studio v8.0 SP2 or prior

Multiple

Confidentiality, Integrity, Availability

Critical

InduSoft Web Studio v8.0 SP2 Patch 1

InTouch Machine Edition v8.0 SP2 or prior

Multiple, Embedded

Confidentiality, Integrity, Availability

Critical

InTouch Machine Edition v8.0 SP2 Patch 1


Vulnerability Characterization and CVSSv3 Rating

CWE-306: Missing Authentication for Critical Function

Acknowledgements
Schneider Electric would like to thank:

  • Aaron Portnoy formerly of Exodus Intelligence for the discovery and responsible disclosure of this vulnerability.

  • ICS-Cert for coordination and advisories.

Support
For information on how to reach Schneider Electric support for your product, please refer to this link:  Schneider Electric Software Global Customer Support.

If you discover errors or omissions in this Security Notification, please report the finding to Support.

Wonderware Security Central
For the latest security information and security updates, please visit Security Central.

Cyber Security Standards and Best Practices
For information regarding how to secure Industrial Control Systems please reference NIST SP800-82r2.

NVD Common Vulnerability Scoring System (CVSS v3)
The U.S. Department of Homeland Security has adopted the common Vulnerability Scoring System (CVSS v3) that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.  CVSS v3 produces a numerical score as well as a textual representation of that score reflecting the severity of a vulnerability.  Scores range from 0.0 (no impact) to a maximum of 10.0 (critical impact with minimal effort to exploit). For additional information please refer to the CVSSv3 specifications.

Disclaimer
THE INFORMATION PROVIDED HEREIN IS PROVIDED “AS-IS” AND WITHOUT WARRANTY OF ANY KIND. SCHNEIDER ELECTRIC AND ITS AFFILIATES, PARENT AND SUBSIDIARIES (COLLECTIVELY, “SCHNEIDER ELECTRIC”)  DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY SCHNEIDER ELECTRIC, ITS DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES WILL CREATE A WARRANTY AND CUSTOMER MAY NOT RELY ON ANY SUCH INFORMATION OR ADVICE.   

SCHNEIDER ELECTRIC DOES NOT WARRANT THAT THE SOFTWARE WILL MEET CUSTOMER’S REQUIREMENTS, THAT THE SOFTWARE WILL OPERATE IN COMBINATIONS OTHER THAN AS SPECIFIED IN SCHNEIDER ELECTRIC’S DOCUMENTATION OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE. 

IN NO EVENT WILL SCHNEIDER ELECTRIC OR ITS SUPPLIERS, DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY CUSTOMER OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SCHNEIDER ELECTRIC’S LIABILITY FOR DAMAGES AND EXPENSES HEREUNDER OR RELATING HERETO (WHETHER IN AN ACTION IN CONTRACT, TORT OR OTHERWISE) WILL IN NO EVENT EXCEED THE AMOUNT OF ONE HUNDRED DOLLARS ($100 USD). 


Downloads

Vulnerability Details

Release on: IWS80.1.1

Insecure Permissions On Files / Directories In System PATH 

Wonderware InduSoft Web Studio v8.0 installation creates a new directory which contains two (2) files. 

This directory and one file has weak permissions, allowing any authenticated user to create new or replacing original files with malicious files. 

The directory and files are added to system's PATH. Therefore, the following can be manipulated by non-administrator users to write malicious files / dlls and escalate privileges once these are executed: 

  • File C:\Bin\x86\aahClientManaged.dll has weak permissions: ALLOW NT AUTHORITY\Authenticated Users: FILE_WRITE_DATA FILE_APPEND_DATA DELETE 

  • File C:\Bin\x86\ has weak permissions: ALLOW NT AUTHORITY\Authenticated Users: FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_WRITE_EA FILE_WRITE_ATTRIBUTES DELETE 

+++++

IMPACT:

Successful exploitation of this vulnerability could allow authenticated system users, to escalate their privileges. 

Solution: WI 18071 - Changed the path where the files related to the integration with WW Historian were being installed for it to be the same as the rest of the product.


ISSymbolVM.cab Hotfix

Version: 7.1 + SP1

This hotfix fixes an issue with the version numbering of the ISSymbol control.

Download Hotfix



Indusoft Web Studio v7.1 + SP1 Printer Hotfix

Version: 7.1 + SP1

There are two known issue when printing PDF files on Indusoft Web Studio v7.1 + SP1:
  1. The output PDF file displays a watermark in the bottom of each page after printing is completed
  2. The PDF printer does not generate a PDF file.
 
For both cases it is necessary to update the PDF printer installation by applying the following hotfix:

Download Printer Hotfix Now


 
Extract the zip file and run the appropriate .bat file as administrator. Refer to "ReadMe.txt" for further instructions.


Hotfix 70.1.02.32/71.0.00.17 - Critical

Version: 7.0/7.1

WI2815: Directory Traversal Buffer overflow. Provided and/or discovered by: OSVDB 73413, ICS-ALERT-13-004-01 and ICSA-13-067-01.

Solution: Install hotfix 70.1.02.32/71.0.00.17

Released 02/2013

Download Hotfix 70.1.02.32 Now

Download Hotfix 71.0.00.17 Now


Download and install v7.0 + SP1 + P1 (or later) - Moderate

Version: 6.1/7.0

WI2146: Improved the Remote Agent utility (CEServer.exe) to implement authentication between the development application and the target system, to ensure secure downloading, running, and stopping of projects. Also addressed problems with buffer overrun when downloading large files. Credits: OSVDB 77178 and 77179

Solution: Install v7.0 + SP1 + P1

Released 11/2011

Download Now


Hotfix 70.1.02.12 - Critical

Version: 7.0

WI1944: ISSymbol Virtual Machine buffer overflow Provided and/or discovered by: OSVDB 72865

Solution:Install hotfix 70.1.02.12

Released 11/2011

Download Now


Download and install v7.0 + SP1 + P1 (or later) - Moderate

Version: 7.0

WI1889: New button causes long screen load time on Thin Clients

Solution: Install v7.0 + SP1 + P1

Download Now


Hotfix 61.6.03.19 - Critical

Version: 6.1 SP6 (Note: This issue also occurs with v7.0 without Service Pack 1.)

WI1944: ISSymbol Virtual Machine buffer overflow Provided and/or discovered by: OSVDB 72865

Solution: Install hotfix 61.6.03.19

Released 04/2011

This web server is available in the InduSoft products only for testing purposes as indicated in the InduSoft Web Studio documentation. Real applications running in the field should not see any problems as they should be using the IIS or Apache instead of the NTWebServer. However, InduSoft has addressed the security issue on version 7.0 + SP1. Note: If you are using an older version of NTWebServer, or running the PCDemo project, please copy/use NTWebServer.exe from the Bin folder of where InduSoft Web Studio v7.0 + SP1 (or later) is installed.

Download Now