Pierluigi Paganini
April 07, 2015
According to the recent advisories issued by Schneider Electric and ICS – CERT, there is a vulnerability (CVE-2014-8390) that can allow hackers to penetrate the system and trigger arbitrary code execution. The vulnerability was identified and made public by Core Security.
Schneider Electric VAMPSET Software has been found lacking in security layering, which brings hackers’ skillfulness and sophistication to the spotlight once more. As it has turned out, the VAMPSET can be taken advantage by crackers and professionals who wish to control the software thanks to this vulnerability. Consequently, the hackers can take control and cause random code executed by the software – unlike it has been designed to operate.
According to ICS – CERT, the potential impact of such a flaw can be truly severe:
“An attacker who exploits this vulnerability may be able to execute arbitrary code. Impact to individual organizations depends on many factors that are unique to each organization. ICS – CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”
The recommendations of ICS – CERT, needless to say, should be taken into some serious consideration and not dealt with lightly.
Not all the versions of VAMPSET are vulnerable to the flaw detected, on the bright side. To be more specific, only V2.2.145 and all the versions that have been released prior to that are facing this displeasing consequence. So, all the other versions that are newer than the V2.2.145 are in no danger to this date.
It is also worth noting that Schneider Electric has also released an advisory on the matter. This is characterized as an “Important Security Notification” and is dated “25th March, 2015”. According to their advisory, they have become well aware of the security flaw and they have been dealing with the vulnerability in an efficient manner. To quote their point of view as to the extent and severity of the flaw:
“The vulnerability in VAMPSET is caused by opening malformed VAMPSET disturbance recorder files. VAMPSET becomes halted when trying to open a corrupted file. Even though Windows operating system remain operational, VAMPSET does not respond anymore until the corresponding process is terminated. This is caused by a buffer overflow which could result in remote code execution.”
The vulnerability was identified and made public by Core Security and the issue has been addressed to the company (Schneider Electric) from the middle of February, based on what Core states. Ricardo Navarja, who is a researcher for Core Security, eventually noticed that something is wrong and that any local attacker could benefit from the cracks in the overall security layering of VAMPSET. Following the discovery and the analysis of the vulnerability, Core Security published even more detailed information on the flaw and on the possible solutions or workarounds related to that.
Along with that, on the very same publication by Core Security you can see the detailed timeline that reveals the first discovery of the flaw on 29th January, with other significant dates stretching all the way to 30th March. This is definitely an interesting piece of information, which guides us through the different phases of communication between the company and the security researchers.
Written by: Ali Qamar, Founder/Chief Editor at SecurityGladiators.com
Author Bio:
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at SecurityGladiators.com, an ultimate source for worldwide security awareness having supreme mission of making the internet more safe, secure, aware and reliable. Follow Ali on Twitter @AliQammar57
Edited by Pierluigi Paganini
(Security Affairs – VAMPSET)
