Hardcoded Password Vulnerability in Schneider Electric InduSoft Web Studio and InTouch Machine Edition
CVE-2015-0996

Currently unrated

Key Information:

Vendor: Schneider Electric
Status: Wonderware Intouch 2014; Aveva Edge
Vendor: CVE Published:; 29 March 2015

Summary

The vulnerability in Schneider Electric's InduSoft Web Studio and InTouch Machine Edition arises from the use of hardcoded cleartext passwords for controlling read access to Project and Project Configuration files. This design flaw allows local users to easily discover the password, thereby gaining unauthorized access to sensitive project information, which could lead to potential data breaches and compromise the integrity of operational environments.

References

http://download.schneider-electric.com/files?p_Doc_Ref=SE...

x_refsource_CONFIRM

https://ics-cert.us-cert.gov/advisories/ICSA-15-085-01

x_refsource_MISC

http://download.schneider-electric.com/files?p_Doc_Ref=SE...

x_refsource_CONFIRM

Timeline

Vulnerability published
Mar 29, 2015
Vulnerability Reserved
Jan 10, 2015