Schneider Electric PowerSCADA Anywhere and Citect Anywhere

Risk Summary

ATTENTION: Remotely exploitable/low skill level to exploit.

CVEs (4)

Remediations

• Schneider Electric strongly recommends that users upgrade their systems as soon as possible. The following provides links to instructions for addressing software that is at potential risk for the vulnerabilities:
• PowerSCADA Anywhere Version 1 used with PowerSCADA Expert v8.2 and PowerSCADA Expert v8.1: Uninstall PowerSCADA Anywhere (from Add/Remove Programs). Then install PowerSCADA Anywhere Version 1.1 available in the following location:
• Citect Anywhere version 1.1:
• In addition to installing the provided security patch, Schneider Electric recommends that the following steps be taken to further harden the system:
• Configure the HTTP origin header whitelist to match the environment's URL(s) used for accessing the secure gateway. This address may be one or more of the IP, machine name, or domain name where the secure gateway is hosted. The address may also be that of a load balancer or proxy, if the secure gateway is deployed that way.
• Configure the secure gateway's whitelists to restrict access to expected client IPs, as well as to restrict access from the secure gateway to only expected internal server hosts. For an additional defense-in-depth layer, users can further use the Windows OS-level firewall (or zone firewalls) to restrict communication among only the expected nodes.
• If using self-signed certificates, configure the secure gateway machine to trust the server certificate.
• Depending on the organization's requirements, users can further configure the secure gateway to restrict the usable TLS protocols. For an additional defense-in-depth layer, TLS protocols and cipher suites can also be restricted at the operating system level through the use of third party tools such as IISCrypto.
• Create unique user accounts with minimal privileges dedicated to accessing applications remotely. OS group policy objects can be used to further restrict what those unique user accounts are allowed to do. For an example configuration that disables task manager from being launched in a remote app connection, follow the steps available here:
• For more information about the vulnerabilities and patch in PowerSCADA Anywhere, please refer to Schneider Electric Security Notification - PowerSCADA Anywhere SEVD-2017-173-01, which is available at the following location:
• For more information about the vulnerabilities and patch in Citect Anywhere, please refer to Schneider Electric Security Notification - Citect Anywhere, which is available at the following location:

Affected Vendors

Affected Products (2)

Affected Sectors

Commercial Facilities