CitectSCADA Safety and Security Knowledge Base

Important security notification - Vulnerability in Historian

Administrator — Tue, 17 Jan 2012 02:40:00 GMT

Abstract: Important security notification - Vulnerability in Historian

January 16, 2012: Update - Resolved Issue on the Webclient

Updated the fix to resolve the following:

The user is no longer prompted to install HistorianWebClient.cab everytime the client is restarted
Updated the third party TeeChart™ ActiveX Control

We recommend that all customers install the updated fix by clicking on the relevant link below (Links can be found in the notification dated Oct 24th 2011)

October 24, 2011

Schneider Electric® has become aware of multiple vulnerabilities in Vijeo Historian™ V4.30 and earlier, CitectHistorian™ V4.30 and earlier, and CitectSCADAReports™ V4.10 and earlier.

The vulnerabilities identified include:

Cross-site scripting (XSS) vulnerability which allows remote attackers to inject arbitrary web script or HTML via an HTTP request
Directory traversal vulnerability in the web portal allowing remote attackers to read arbitrary files in a HTTP request
Multiple buffer overflows in the third party TeeChart™ ActiveX control allowing a remote attacker using social engineering to cause a denial of service and / or execute arbitrary code.

Recommendation

Schneider Electric has developed a fix for the above vulnerabilities.

Please note, this fix WILL NOT affect the capacities/functionalities of the product or impact the performance of your installation.

Schneider Electric recommends ALL customers using above mentioned software packages to download and apply the fix.

The fix is available from each version family of the product:

Version V4.30 of Vijeo Historian / CitectHistorian
Version V4.20 of Vijeo Historian / CitectHistorian
Version V4.10 of Vijeo Historian / CitectSCADA Reports

Schneider Electric has been designing industrial automation software almost 25 years and educating the market about potential security vulnerabilities. Schneider Electric follows, and recommends to its customers, industry best practices in the development and implementation of control systems.

Acknowledgments

Schneider Electric wishes to thank the following for working with us to help protect our customers:

Steema Software for their prompt response and contribution to the resolution of the TeeChart ActiveX control vulnerability
Researcher Kuang-Chun Hung of Security Research and Service Institute - ICST (Information and Communication Security Technology Center) for reporting the Buffer Overflow Vulnerability (ICS-VU-614277).

Support

If you are unsure of whether you could be affected by this vulnerability or if you have any questions on this issue please contact the Operation & Optimization Global Support Centre:http://www.scada.schneider-electric.com/sites/scada/en/login/country-support.page

Version Number	Date	Comment
1.0	24 Oct 2011	Orignal notification released
2.0	16 Jan 2012	Updated fix to resolve issue on the web client

Important security notification – Vulnerability within UnitelWay Windows Device Driver

Administrator — Fri, 30 Sep 2011 00:59:00 GMT

Abstract: Important security notification – Vulnerability within UnitelWay Windows Device Driver

Schneider Electric has become aware of a vulnerability within all versions of the UnitelWay Windows Device Driver, which may have been installed when choosing specific drivers, or by installing all available drivers by default together with the following Schneider Electric software packages:

Vijeo Citect V7.20 and all previous versions run on Windows XP
OPC Factory Server V3.34 run on Windows XP
Telemecanique Driver Pack V2.6 and below
Unity Pro V6.0 and all previous versions run on Windows XP
Monitor V7.6 and all previous version run on Windows XP
PL7 Pro V4.5 SP5 and all previous run on Windows XP

The vulnerability has been identified as an internal exploit risk, which may cause a buffer overflow allowing arbitrary code to be executed.

What is the associated cyber security risk?

According to our experts, the vulnerability can only exist if the following conditions are accumulated:

A HTTP server has been installed on the engineering station
The workstation is externally accessible, without firewall protection
The security level of the internet browser has been unlocked

The potential impact for our customers is then dependant on the nature of their application and the content of the arbitrary code.

The conditions allowing the vulnerability to exist are in direct contradiction to our basic architecture recommendations, thus the likelihood of arbitrary code being executed as a result of the vulnerability is very low.

Recommendation

Schneider Electric has developed a fix for the vulnerability which will modify one of the libraries of the UnitelWay Windows Device Driver. Please note, this fix WILL NOT affect the capacities/functionalities of the driver or, therefore, impact the performance of your installation.

Schneider Electric recommends ALL customers using above listed software packages to download and apply the fix.

The fix is available from here: http://www.scada.schneider-electric.com/download/security/HFPEP0047398R.zip

If you are unaware as to whether you have installed this driver or not, the fix will first conduct a scan to detect the presence of the driver. If the driver has not been installed, you will be informed and the fix will not be installed. If the driver has been installed, you will be informed, and will then be able to install the fix.

Support

If you are unsure of whether you could be affected by this vulnerability or if you have any questions on this issue please contact our support centres.

Vijeo Citect customers please contact the Operation & Optimization Global Support Centre: http://www.scada.schneider-electric.com/sites/scada/en/login/country-support.page.

All other customers please select your local Customer Care Center: http://www2.schneider-electric.com/sites/corporate/en/support/operations/local-operations/local-operations.page.

Important notification about a possible vulnerability on the CitectSCADA Batch Server installed by CitectSCADA™ V7.10 and below

Geoff Leach — Wed, 24 Aug 2011 01:54:00 GMT

Abstract:

Schneider Electric^® has become aware of a possible vulnerability within CitectSCADA Batch Server installed by CitectSCADA V7.10 and below.

IMPORTANT NOTICE: THE CITECTSCADA SOFTWARE V7.20 AND ALL VERSIONS OF VIJEO CITECT ARE NOT AFFECTED BY THIS POTENTIAL VULNERABILITY.

The vulnerability has been identified as an internal exploit risk, which may result in a buffer overflow allowing arbitrary code to be executed.

CitectSCADA Batch has not, for the last five years, been under active enhancement and was only provided to assist customers with existing installations. The vulnerability is contained within a third-party control used in the CitectSCADA Batch product.

Schneider Electric has identified all existing licenses of CitectSCADA Batch and we are working individually with our customers to ensure they are not at risk from this vulnerability. Schneider Electric recommends customers who are actively using Batch to contact support and upgrade to its new platform for Batch. We also advise any customers who may have installed CitectSCADA Batch but are not using it, to remove it by using the uninstaller provided on our website http://www.citect.com/citectscada-batch-uninstaller.

The Modnet Driver May Allow Random Writes To Individual Bits In A Word Using "Read Modify Write" Process

Geoff Leach — Wed, 24 Feb 2010 00:50:00 GMT

Abstract:

We would like to draw your attention to an issue which has been reported to SCADA Global Support regarding the Modnet communication driver.
The issue was reported on Modnet Driver version 2.6.19.0 (release), but is likely to exist on all versions of the driver and is fixed in Modnet Driver version 2.06.025.001 (release).

The issue is independent of the version of SCADA.
The issue has so far only been noted when communicating with Unity Quantum PLCs.

Symptoms:

The Modnet driver allows users to write to individual bits in a word using a process known as "read modify write".
Under certain circumstances other bits in the word being written to can be affected in a random manner.

Circumstances:

The issue only occurs when using the write to bit in a word as described above; other write operations are not affected.

For example, writing to addresses such as 400007.3 or %MW500.5

The issue can only occur when the following parameters are used in the CITECT.INI file:

[Modnet] MaxPending greater than 1
and
[Modnet] MaxOutstanding greater than 1

Please note: the default installed values of these parameters in the current version of the driver are:

[Modnet] MaxPending = 2
[Modnet] MaxOutstanding = 1

Older versions have higher values for both parameters.
Only devices capable of processing requests out of order can demonstrate this issue.
The issue only occurs under increased load conditions when multiple requests are likely to be processed out of order.

Workaround:

This issue can be avoided by setting the following parameter to be used in the CITECT.INI file:

[Modnet] MaxOutstanding = 1

Note that this workaround can result in a degradation of the communications performance to the Modnet device(s) if you have higher values for this parameter.

Solution:

This problem is rectified in the Modnet Release version 2.06.25.001.
Download from DriverWeb and Install.

If you want to receive updates on Modnet driver notifications and discussions you may subscribe to the Modnet forum of DriverWeb or check our website for updated information.

For assistance:

• Vijeo Citect customers, contact your local Schneider office.

• CitectSCADA and CitectFacilities customers, contact the SCADA Global Support Centre on the appropriate number for your country listed below.

SCADA Global Support Centre contact details:

OCEANIA
Australia: 1300 131 631
New Zealand: 0800 880 026

AFRICA
South Africa: 0800 998 887

LATIN AMERICA
Brazil: 800 891 2162
Mexico: 001 866 522 0285

MIDDLE EAST
Israel: 1 809 216 065

NORTH AMERICA
USA/Canada: 866 589 6855

GREATER CHINA
China: 10 800 712 1587

NORTH ASIA
Japan: 00531 121 985
South Korea: 00798 14 800 7112

SOUTH EAST ASIA
Singapore: 0800 120 4562

EUROPE
Belgium 0800 40 710
Czech Republic 0800 134 466
Denmark 808 87 453
Finland 0800 913 065
France 04 72 15 84 50
Germany: +49 8931901445
Hungary: 06 800 18490
Italy: 800 986 902
Norway: 800 11979
Spain: 800 098 944
Sweden: 0200 882 612
Switzerland: 0800 001 241
Netherlands: 0800 020 0498
UK: 0800 376 2869

ALL OTHER COUNTRIES
Reverse call charges: +61 2 9496 7400

EMAIL
support@citect.com

IDC & FTP security recommendations

Administrator — Wed, 22 Oct 2008 21:38:00 GMT

Abstract:

Products: CitectSCADA / Vijeo Citect / CitectFacilities

Versions: All

Related area: IDC (Internet Display Clients) using FTP only

Background Information:

CitectSCADA currently ships with an FTP server, which is installed, but not activated, by default and is used in order to configure and correctly utilise Internet Display Client (IDC) functionality.

(note: If you are not using the CitectSCADA IDC functionality, do not have your server set-up as a Citect Internet Server - see below - and hence the FTP server is not running, this information will not pertain to your installation and you will need take no further action)

FTP (File Transfer Protocol) provides the capability of transferring files between a client and a server. In the case of CitectSCADA it is used to download project files to the IDC. You may also use remote command capabilities to submit commands to the server. Consequently, FTP is very useful for working with remote systems, or to move files between systems. However, the use of FTP across the Internet, or other untrusted networks can expose you to certain security risks.

You must understand these risks to ensure that your security policy describes how you will minimize these risks.

Whilst the CitectSCADA FTP server is designed to operate in a 'read-only' mode (that is, files can only be downloaded, not uploaded), FTP communications are, by default, not encrypted. In an unsecure network situation this could expose data or the traffic to sniffing and injection attacks. The FTP server may be open to a Denial of Service or memory leak attack should an attacker supply invalid format specifiers during login. This would cause the FTP server to fail and render the IDC's unable to operate until the FTP server was brought back up.

How do I know if I'm running the CitectSCADA FTP server?

If you are using the CitectSCADA IDC functionality you will have to have enabled your server as an 'Internet Server', which will activate the FTP server. If you are unsure as to whether a server is an Internet Server, please use the Computer Setup Wizard to check the Internet Server setting or see your citect.ini file (paramater will be: [Internet] Server=1).

Recommendations

Citect's recommendations for customers who may be concerned about using FTP are as follows:

- switch from using the IDC to the CitectSCADA Web Client. There are no licensing restrictions in doing this, and minimal functional changes result. Some set-up is required, including activating a web server (IIS or Apache) and installing a supporting application. Using the Web Client negates the need for using FTP. Upgrades from IDC to Web Client are free. Note that the Web Client is only available for version 6.0 of CitectSCADA and above. If you are running an earlier version of CitectSCADA, we recommend that you upgrade to the latest version.

- switch from using the IDC to a traditional CitectSCADA desktop client. There will be a small license key configuration change needed to do this, but again this negates the need to use FTP. Furthermore, you will need to consider how project files will be deployed to remote clients.

- in circumstances where swapping from the IDC is not an option, we recommend securing your FTP traffic through the use of appropriate firewall rules, SSH and optionally VPN. Ensure that the network on which the FTP server is running is inaccesible from non-controlled and non-trusted networks and that network logons are tightly controlled. If possible, use secure IP, which may involve some hardware upgrades.

- if IDCs are not in use, turn off the FTP service (by ensuring a server is not marked as an 'Internet Server' - see above) and/or block FTP traffic at the firewall.

The recommendations above still stand, but in addition we recommend customers still requiring to run IDCs and FTP to also upgrade to version 7.1.

Release 7.1 of CitectSCADA (Q4 2008) contains an updated version of the FTP server with additional security features. These features remove the ability to attempt a DOS or memory leak attack, and also address an issue with a hardcoded username and password [v7.0 SP1 and v7.1+ only].

Alternatively, please install an updated version of the FTP server for your version of CitectSCADA, which will be made available shortly from Citect Support as a separate executable file. Service Pack 1 for CitectSCADA v7.0, planned for Q4 2008, will also contain the relevant updates.

If you have any questions or concerns, please contact our support department in the first instance.

[Credits: our thanks goes to Netragard for their help in identifying the above issues and working with us on recommended actions]

SCADA and Process Control Network Security

Administrator — Sat, 20 Sep 2008 02:27:00 GMT

Abstract:

Products: CitectSCADA / Vijeo Citect / CitectFacilities

Versions: All

A security vulnerability has been found in CitectSCADA which could expose the system to a buffer overflow attack.

The issue affects customers running ODBC by targeting an open port (20222) which can cause the system to crash, opening up the possibility of arbitrary code execution.

This vulnerability has been patched for version 6.0A, 6.1A, 6.1B, and version 7.0 of CitectSCADA. Please see the information below with reference to specific hotfix numbers, or contact our support department for further information. For customers not requiring ODBC connectivity we recommend closing port 20222 in addition to applying the relevant patch.

Patch references:

7.0 Patch is HF700R138255
Bug 38255 - Security vulnerability on citect port 20222 (ODBC port).

6.1B Patch is HF610B38255
Bug 38255 - Security vulnerability on citect port 20222 (ODBC port).

6.1A Patch is HF610A38255

Bug 38255 - Security vulnerability on citect port 20222 (ODBC port).

6.0A Patch is HF600A39160 (yes)

Bug 38255 - Security vulnerability on citect port 20222 (ODBC port)

[note, the hotfixes have been re-tested following the publication of metasploit code designed to target this vulnerability. We can confirm that the fixes will work against this code. Also note that closing port 20222 in itself will also work]

To obtain Security Hotfixes contact Citect support

For further information please see our website, contact support or your local Citect representative.

Further general information:

The following advice is communicated for the benefit and enhancement of the use of our software.

CitectSCADA is not designed to reside on a public network.

We recommend robust protection which may include firewall, intrusion detection systems, VPN and segmentation between the enterprize network and the internet to prevent unauthorized communications to your servers.

Most importantly, we advice that process control networks which typically use open, published communication protocols, should not be accessible from a public network.

Further information is provided in the whitepaper that can be download from our website Technical Whitepaper on SCADA system security.

Additional information on the security and protection of SCADA and PCN is currently available through several established government associated sources such as:

USA
US-CERT: United States Computer Emergency Readiness Team

Europe
ENISA: European Network Information Security Agency

UK
GovCertUK: Computer Emergency Response Team
(previous responsibility with NISCC: National Infrastructure Security Co-ordination Centre)

CPNI: Centre for the Protection of National Infrastructure
SCADA Security publication

Australia
TISN: Trusted Information Sharing Network
SCADA Security publication

Further sources of information such as, standards association publications, papers and references can been found within the above links.