Security Notification: 8 vulnerabilities fixed in IGSS Data Server in v15

June 23, 2022 Update: The affected versions have been updated to include versions up to V15.0.0.22170.

Thanks to the researchers at Tenable and ADLab of Venustech the IGSS team has become aware of 8 security issues concerning communication with the IGSSdataServer.exe (Data Server) module in IGSS V15.0.0.22139 V15.0.0.22170 and prior versions.

A security update has been released to fix the issues in IGSS version 15.
Make sure to update the IGSS software either by downloading the latest version by running IGSS Update from the IGSS Master module or install the latest update from our download section.

If you choose not to use the update provided, then please apply the following mitigations to reduce the risk of an exploit:

  • Follow the general security recommendations provided in the security notification and verify that devices are isolated on a private network and that firewalls are configured with strict boundaries for devices that require remote access.

More details can be found in the official security notification that has been released on Schneider Electric Global – Cybersecurity Notifications.

classified, background, blog