Thanks to the researchers kimiya and Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative the IGSS team has become aware of 8+1 security issues in IGSS V16 relating to the IGSS Data Server, Dashboard and Custom Reports modules in IGSS V22.214.171.12440 and prior versions.
This news post has been updated with one additional vulnerability concerning the IGSS Dashboard where further hardening has been introduced in IGSS v16.0.023131 and later.
A security update has been released to fix these issues in IGSS version 16.
Make sure to update the IGSS software either by downloading the latest version or by running IGSS Update from the IGSS Master module or install the latest update from our download section.
If you choose not to use the update provided, then please apply the following mitigations to reduce the risk of an exploit:
- Read the Security Guideline for IGSS on securing an IGSS SCADA-installation.
- Make sure to take backup of files in the report directory. In the System Configuration module under Files, automatic backup can be enabled for the file types to backup.
- Strip report output from Excel output. In the System Configuration module under Reports, stripping of macros for the output engine can be enabled, reducing the risk of distributing an unsafe report.
- Follow the general security recommendations provided in the security notification and verify that devices are isolated on a private network and that firewalls are configured with strict boundaries for devices that require remote access.
More details can be found in the first security notification and the additional security notification that has been released on Schneider Electric Global – Cybersecurity Notifications.