Monday, September 1, 2014

Few bugs in Wonderware Information Server

Vulnerabilities/fixes in Schneider Electric/Invensys Wonderware Information Server (WIS) to support tradition.

The following Schneider Electric WIS versions are affected:

  • Wonderware Information Server 4.0 SP1 Portal,
  • Wonderware Information Server 4.5 Portal,
  • Wonderware Information Server 5.0 Portal, and
  • Wonderware Information Server 5.5 Portal.




CVE-2014-2381 & CVE-2014-2380/Local & Web & SQL/Weak encryption & hardcoded accounts
CVE-2014-5397/Web/Lot of XSS
CVE-2014-5398/Web/XXE OOB
CVE-2014-5399/Web/SQLi & RCE

Kudos: Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov.

ICS CERT Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-14-238-02

Enjoy

No comments:

Post a Comment