Multiple vulnerabilities in Schneider Electric IGSS Mobile
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-9968 CVE-2017-9969 |
| CWE-ID | CWE-300 CWE-256 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IGSS Mobile Mobile applications / Apps for mobile phones |
| Vendor | Schneider Electric |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Man-in-the-middle attack
EUVDB-ID: #VU10622
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9968
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to conduct man-in-the-middle attack.
The weakness exists due to lack of certificate pinning during the TLS/SSL connection establishing process. An adjacent attacker can use man-in-the-middle techniques to monitor the
traffic and access or modify sensitive information.
Install update from vendor's website.
IGSS Mobile: 1.0 - 3.01
External linkshttp://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Id=911155...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU10623
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9969
CWE-ID:
CWE-256 - Unprotected Storage of Credentials
Exploit availability: No
DescriptionThe vulnerability allows a local high-privileged attacker to obtain potentially sensitive information.
The weakness exists due to app passwords are stored in clear-text in the configuration file. A local attacker can gain access to important data.
Install update from vendor's website.
IGSS Mobile: 1.0 - 3.01
External linkshttp://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Id=911155...
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
