Thanks to the researcher kimiya working with Trend Micro Zero Day Initiative the IGSS team has become aware of 8 security issues in IGSS V16 relating to the IGSS Data Server, Dashboard and Custom Reports modules in IGSS V188.8.131.5240 and prior versions.
A security update has been released to fix the issues in IGSS version 16.
Make sure to update the IGSS software either by downloading the latest version or by running IGSS Update from the IGSS Master module or install the latest update from our download section.
If you choose not to use the update provided, then please apply the following mitigations to reduce the risk of an exploit:
- Read the Security Guideline for IGSS on securing an IGSS SCADA-installation.
- Make sure to take backup of files in the report directory. In the System Configuration module under Files, automatic backup can be enabled for the file types to backup.
- Strip report output from Excel output. In the System Configuration module under Reports, stripping of macros for the output engine can be enabled, reducing the risk of distributing an unsafe report.
- Follow the general security recommendations provided in the security notification and verify that devices are isolated on a private network and that firewalls are configured with strict boundaries for devices that require remote access.
More details can be found in the official security notification that has been released on Schneider Electric Global – Cybersecurity Notifications.