**ATTENTION:**Remotely exploitable/low skill level to exploit
Vendor: Schneider Electric
Equipment: homeLYnk Controller, LSS100100
Vulnerability: Cross-site Scripting
Schneider Electric reports that the vulnerability affects the following products:
An attacker may be able to exploit this vulnerability to cause execution of java script code.
Schneider Electric has made a firmware that fixes this vulnerability available for download at:
<http://www.schneider-electric.com/en/download/document/FW1_5_1-hL/>
For more information on this vulnerability and more detailed mitigation instructions, please see Schneider Electric security notification SEVD-2017-011-01 at the following location:
<http://www.schneider-electric.com/ww/en/download/document/SEVD-2017-011-01>
NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability.
The homeLYnk controller is susceptible to a cross-site scripting attack. User inputs can be manipulated to cause execution of java script code.
CVE-2017-5157 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
Mohammed Shameem reported this issue to Schneider Electric.
ics-cert.us-cert.gov
ics-cert.us-cert.gov
twitter.com/icscert
twitter.com/icscert
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5157
www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-019-01
www.dhs.gov
www.dhs.gov/report-cyber-risks
www.schneider-electric.com/en/download/document/FW1_5_1-hL/
www.schneider-electric.com/ww/en/download/document/SEVD-2017-011-01
www.us-cert.gov/accessibility/
www.us-cert.gov/pdf/
www.us-cert.gov/privacy/
www.us-cert.gov/tlp/
www.us-cert.gov/tlp/
cwe.mitre.org/data/definitions/79.html
ics-cert.us-cert.gov/
ics-cert.us-cert.gov/content/recommended-practices
ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B
twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-019-01
www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-019-01
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-17-019-01 Schneider Electric homeLYnk Controller&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-019-01&site_name=ICS-CERT
www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-17-019-01 Schneider Electric homeLYnk Controller&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-019-01&site_name=ICS-CERT
www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-17-019-01 Schneider Electric homeLYnk Controller&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-019-01&site_name=ICS-CERT