CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
61.5%
Successful exploitation of these vulnerabilities may result in remote code execution, which could result in an attacker gaining access to the Windows Operating System on the machine used to import CGF and WSP files.
The following versions of Interactive Graphical SCADA System (IGSS) are affected:
Exploitation of this vulnerability could result in loss of data or remote code execution due to missing length checks when a malicious CGF file is imported to IGSS Definition.
CVE-2021-22750 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in disclosure of information or execution of arbitrary code due to lack of input validation when a malicious CGF (Configuration Group File) is imported to IGSS Definition.
CVE-2021-22751 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in loss of data or remote code execution due to missing size checks when a malicious WSP (Workspace) file is being parsed by IGSS Definition.
CVE-2021-22752 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in loss of data or remote code execution due to missing length checks when a malicious WSP file is being parsed by IGSS Definition.
CVE-2021-22753 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in loss of data or remote code execution due to lack of proper validation of user-supplied data when a malicious CGF file is imported to IGSS Definition.
CVE-2021-22754 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in disclosure of information or remote code execution due to lack of sanity checks on user-supplied data when a malicious CGF file is imported to IGSS Definition.
CVE-2021-22755 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in disclosure of information or remote code execution due to lack of user-supplied data validation when a malicious CGF file is imported to IGSS Definition.
CVE-2021-22756 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in disclosure of information or remote code execution due to lack of validation on user-supplied input data when a malicious CGF file is imported to IGSS Definition.
CVE-2021-22757 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in loss of data or remote code execution due to lack of validation of user-supplied input data when a malicious CGF file is imported to IGSS Definition.
CVE-2021-22758 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in loss of data or remote code execution due to use of unchecked input data when a malicious CGF file is imported to IGSS Definition.
CVE-2021-22759 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in loss of data or remote code execution due to missing checks of user-supplied input data when a malicious CGF file is imported to IGSS Definition.
CVE-2021-22760 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in disclosure of information or remote code execution due to missing length check on user supplied data when a malicious CGF file is imported to IGSS Definition.
CVE-2021-22761 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation of this vulnerability could result in remote code execution when a malicious CGF or WSP file is being parsed by IGSS Definition.
CVE-2021-22762 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Kimiya, working with Trend Microβs Zero Day Initiative, and Michael Heinzl separately reported these vulnerabilities to CISA.
Schneider Electric recommends users update to Version 15.0.0.21141 of the IGSS Definition module: Def.exe includes fixes for these vulnerabilities and is available for download through IGSS Master > Update IGSS Software, or at the link above.
If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploitation:
Please see Schneider Electricβs publication SEVD-2021-159-01 for more information.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22750
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22751
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22752
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22753
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22754
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22755
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22756
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22757
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22758
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22759
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22760
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22761
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22762
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-21-159-04
cwe.mitre.org/data/definitions/119.html
cwe.mitre.org/data/definitions/125.html
cwe.mitre.org/data/definitions/125.html
cwe.mitre.org/data/definitions/125.html
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/416.html
cwe.mitre.org/data/definitions/763.html
cwe.mitre.org/data/definitions/787.html
cwe.mitre.org/data/definitions/787.html
cwe.mitre.org/data/definitions/787.html
cwe.mitre.org/data/definitions/787.html
cwe.mitre.org/data/definitions/787.html
cwe.mitre.org/data/definitions/824.html
download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-01
igss.schneider-electric.com/igss/igssupdates/v150/IGSSUPDATE.ZIP
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Schneider%20Electric%20IGSS+https://www.cisa.gov/news-events/ics-advisories/icsa-21-159-04
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01
us-cert.cisa.gov/ics/recommended-practices
us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B
us-cert.cisa.gov/ncas/tips/ST04-014
us-cert.cisa.gov/sites/default/files/publications/emailscams_0905.pdf
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-21-159-04&title=Schneider%20Electric%20IGSS
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-21-159-04
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Schneider%20Electric%20IGSS&body=www.cisa.gov/news-events/ics-advisories/icsa-21-159-04
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
61.5%