November 28, 2011

Researcher Kuang-Chun Hung of Security Research and Service Institute Information and Communication Security Technology Center (ICST) has identified four vulnerabilities in the Schneider Electric Vijeo Historian product line. These vulnerabilities include a denial of service (DoS), buffer overflow, a cross-site scripting (XSS), and a directory traversal.

1) Two errors in the TeeChart ActiveX control can be exploited to cause buffer overflows. No further information is currently available. Successful exploitation of this vulnerability may allow execution of arbitrary code.

2) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Certain unspecified input passed to the web portal is not properly verified before being used to read files and can be exploited to disclose arbitrary files via directory traversal attacks. 

According to Schneider Electric the following products are affected:
-  Vijeo Historian V4.30 and earlier
-  CitectHistorian V4.30 and earlier
-  CitectSCADA Reports V4.10 and earlier.

ICSA-11-307-01
ICSA-11-307-01P (released on Nov. 3, 2011 via US-CERT secure Portal)

Important Security Notification - Vulnerability in Historian (includes Patch via Download)
Schneider Electric Citect Home Page
Schneider Electric CitectHistorian Product Info
Scheider Electric - Safety and Security RSS Feed

Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

CVE-2011-4033
CVE-2011-4034
CVE-2011-4035
CVE-2011-4036

IBM Internet Security Systems #71503
Secunia Advisory #47046
Secunia Vulnerability Report and Statistics on CitectHistorian 4.x
Secunia Vulnerability Report and Statistics on CitectSCADA Reports 4.x
Secunia Vulnerability Report and Statistics on Vijeo Historian 4.x
Security Focus Vulnerability Info and Exploit Bugtraq ID 50834

Schneider Vulnerabilities Released (ISSSource)