Security Notification: DC vulnerabilities fixed in v15

Thanks to the independent researches Vyacheslav Moskvin working with Trend Micro Zero Day Initiative the IGSS team has become aware of security issues concerning communication with the dc.exe (Data Collector) module in IGSS V15.0.0.21243 and prior versions.

A security update has been released to fix the issues in IGSS version 15.
Make sure to update the IGSS software either by downloading the latest version by running IGSS Update from the IGSS Master module or install the latest update from our download section.

If you choose not to use the update provided, then please apply the following mitigations to reduce the risk of an exploit:

  • Only accept incoming connections from machines, which name have been added as a Station in the IGSS System Configuration module by setting the registry key called “MatchWinName” to 1 under: “HKEY_CURRENT_USER\SOFTWARE\Schneider Electric\IGSS32\V15.00.00\DC_HKLM\”.

  • Follow the general security recommendations provided in the security notification and verify that devices are isolated on a private network and that firewalls are configured with strict boundaries for devices that require remote access.

More details about can be found in the official security notification released on Schneider Electric Global – Cybersecurity Notifications.

classified, background, blog