PT-2015-14: Password Access in Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Vulnerable softwareSchneider Electric InduSoft Web Studio Version: 7.1.3.4 and earlierInTouch Machine Edition 2014 Версия: 7.1 SP1 Patch 4 and earlierLinks: http://www.indusoft.com/ http://schneider-electric.com/Severity levelSeverity level: Medium Impact: Password Access Access Vector: Remote CVSS v2: Base Score: 6.4 Vector: (AV:L/AC:L/Au:S/C:C/I:C/A:P)CVE: CVE-2015-1009Software descriptionInduSoft Web Studio is a powerful collection of automation tools that provide all the automation building blocks to develop HMIs, SCADA systems and embedded instrumentation solutions. InTouch Machine Edition is a powerful Human Machine Interface (HMI) solution built upon industry-proven technology. This provides you with outstanding capabilities and benefits for embedded devices, intelligent machines and industrial panel computers. Vulnerability descriptionThe specialists of the Positive Research center have detected a Password Access vulnerability in Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014.Systems do not encrypt user passwords, which allows attackers to access them.How to fixUpdate your system up to the latest versionAdvisory status 01.04.2014 - Vendor gets vulnerability details 30.07.2015 - Vendor releases fixed version and details 26.08.2015 - Public disclosureCreditsThe vulnerability was detected by Ilya Karpov, Positive Research Center (Positive Technologies Company)References http://en.securitylab.ru/lab/PT-2015-14 https://gcsresource.invensys.com/support/docs/_securitybulletins/Security_bulletin_LFSEC00000110.pdf https://ics-cert.us-cert.gov/advisories/ICSA-15-211-01 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/