Security Notification – Citect Anywhere
Schneider Electric® originally released this advisory on the SCADA & MES Support secure Portal on May 19th, 2017. This public web page release was delayed to allow users time to implement the patch recommended.
19th May, 2017
Schneider Electric® has become aware of vulnerabilities in the Citect™ Anywhere software.
The Vulnerabilities identified include:
- Cross-Site Request Forgery on the Gateway component of Citect Anywhere for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack.
- Ability to specify Arbitrary Server Target Nodes in connection requests to the Citect Anywhere Server.
- Use of outdated cipher suites and improper verification of peer SSL Certificate.
- Ability to escape out of remote Citect Anywhere applications and launch other processes.
The vulnerabilities, if exploited, could allow a malicious entity to:
- Perform actions on behalf of a legitimate user
- Perform network reconnaissance
- Gain access to resources beyond those intended with normal operation of the product
Details on Products Affected
The following products are affected by these vulnerabilities:
- Citect Anywhere version 1.0
Schneider Electric has developed a new version of the Citect Anywhere software which addresses the above vulnerabilities.
Please note, when you are upgrading from Citect Anywhere v1.0 to v1.1, a license upgrade is not required, however we recommend that you refer to the Software Installation & Configuration Guide for Citect Anywhere and Secure Gateway.
- Citect Anywhere Installation and Configuration Guide
- Secure Gateway Installation and Configuration Guide
Schneider Electric recommends ALL customers using the above listed software packages to download and upgrade to the latest version of the Citect Anywhere software.
Additional System Hardening Guidelines
In addition to installing the provided security patch, further steps can be taken to harden the system:
- Configure the Citect Anywhere Gateway’s HTTP Origin Header whitelist to match your environment’s URL(s) used for accessing the Gateway. This address may be one or more of the IP, Machine Name, or Fully Qualified Domain Name where the Gateway is hosted. The address may also be that of a Load Balancer or Proxy, if the Gateway is deployed that way.
- Configure the Citect Anywhere Gateway’s whitelists to restrict access to expected clients IPs, as well as to restrict access from the Gateway to only expected internal server hosts. For an additional defense-in-depth layer, you can further use the Windows OS-level Firewall (or zone firewalls) to restrict communication among only the expected nodes.
- If using self-signed certificates, configure the Citect Anywhere Gateway machine to trust the Citect Anywhere Server certificate.
- Depending on your organization’s requirements, you can further configure the Citect Anywhere Gateway to restrict the usable TLS Protocols. For an additional defense-in-depth layer, TLS protocols and cipher suites can also be restricted at the Operating System level through the use of 3rd party tools such as IISCrypto.
- Ensure that you create unique user accounts with minimal privileges dedicated to accessing Citect applications remotely. OS Group Policy Objects (GPO) can be used to further restrict what those unique user accounts are allowed to do. For an example configuration that disables task manager from being launched in a Remote App connection, follow the steps here.
Should you need any assistance please contact the SCADA & MES Software Global Support Center located here:
CVSS scores are a standard way of ranking vulnerabilities and are provided for reference, they should be adapted by individual users as required.
|• Cross Site Request Forgery||8.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N|
|• Arbitrary Server Target Nodes||6.5| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N|
|• Outdated Cipher Suites/Cert Verification||5.3 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N|
|• Escaping Citect Application||5.5 | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L|
If you would like to be notified of any future security issues of interest please register for the RSS feed on our Security Notification areas:
Schneider Electric CyberSecurity Notifications (All Products):
Vijeo Citect / CitectSCADA / CitectHistorian / Vijeo Historian / Ampla / CitectFacilities Products:
Safety and Security Notifications:
|1.1||20th June, 2017||Original notification released on Public Portal|
|1.0||19th May, 2017||Original notification released to proactive notification area|
Schneider Electric is broadly distributing this Security Notification in order to bring to the attention of users of the affected Schneider Electric products the important security information contained in this Notification. Schneider Electric recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Schneider Electric does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Schneider Electric will not be responsible for any damages resulting from user's use or disregard of the information provided in this notification. To the extent permitted by law, Schneider Electric disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.
©Copyright 2017 Schneider Electric
Schneider Electric shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither Schneider Electric or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Schneider Electric and the names of the Schneider Electric products referenced herein are trademarks of Schneider Electric in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.