Important Security Notification for PSE, PME, and Power Manager

Issue
Schneider Electric has become aware of a vulnerability in the licensing brick of Power Monitoring Expert, Power Manager, and PowerSCADA Expert.
This vulnerability could allow a remote, unauthenticated attacker to potentially execute arbitrary code on the server.

Product Line
Power Monitoring Expert 8.1
Power Monitoring Expert 8.0
Power Monitoring Expert 7.2.x
Power Manager 1.x
PowerSCADA Expert 8.1
PowerSCADA Expert 8.0 SR1
PowerSCADA Expert 7.40
PowerSCADA Expert 7.30
PowerSCADA Anywhere

Environment
Flexera Software FlexNet Publisher

Cause
Flexera Software FlexNet Publisher is a software license manager that is part of the Power Monitoring Expert, Power Manager, and PowerSCADA Expert licensing brick.

Flexera Software reported a vulnerability to its Flexera FlexNet Publisher, CVE-2016-6273.
This vulnerability could permit a remote attacker to cause a denial of service.

CVSS scores are a standard way of ranking vulnerabilities and are provided for reference, they should be adapted by individual users as required.
Overall CVSS v3 Base Score: 7.5 High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H multiple buffer overflows in (1) lmgrd and (2) Vendor Daemon in Flexera FlexNet Publisher before 11.13.1.2 Security Update 1 allow remote attackers to execute arbitrary code via a crafted packet with opcode (a) 0x107 or (b) 0x10a.

Resolution
Mitigation
To exploit this issue, an attacker would need network access to the Power Monitoring Expert, Power Manager, or PowerSCADA Expert server.

New customers: Schneider Electric has re-released the Power Monitoring Expert 8.1 (all editions), Power Manager 1.2, and PowerSCADA Expert 8.1 installers (ISO).

Existing customers: Schneider Electric strongly recommends that existing customers upgrade their systems as soon as possible. The following provides links to instructions for addressing software that is at potential risk to this vulnerability:
 Power Monitoring Expert 8.1: Apply the latest security update, available in the following location:
    https://schneider-electric.box.com/s/ggjl3u201rqfxol9bx15q5ia02ie0aoq
 Power Monitoring Expert 8.0: Upgrade to the latest release of Power Monitoring Expert 8.1. Available here:
    http://www.schneider-electric.us/en/faqs/FA328586
 Power Monitoring Expert 7.2.x: A security hotfix is available for Power Monitoring Expert 7.2.2. Upgrade to 7.2.2 version if required and then apply the hotfix available here:
    https://schneider-electric.box.com/s/cyf9tgvj0ryiai09rdk2l85xa6inxbkm
 Power Manager 1.2: Apply the latest security update, available in the following location:
    https://schneider-electric.box.com/s/zngdr7hudc4a5dwx8842e7josnde5vb8
 Power Manager 1.0 and 1.1: Upgrade to the latest re-released version of Power Manager. Installer can be found here:
    https://schneider-electric.box.com/s/08s5vvq9l4us57r3v5ykbsh00wivf721
 PowerSCADA Expert 8.1, PowerSCADA Expert 8.0 SR1 and / or PowerSCADA Anywhere: Apply the latest security update, available in the following location:
    https://schneider-electric.box.com/s/sqrpz5cl6965q2coxh4ommtv5ui6llyu
 PowerSCADA Expert 8.0, 7.40, 7.30: The Flexera Software FlexNet components were not used in these versions of PowerSCADA Expert.
   However, as a precaution, we recommend that users uninstall Floating License Manager and License Manager (from Add/Remove Programs), if they have been installed.

For More Information
This document is intended to provide an overview of the identified vulnerability and actions required for mitigation.
To obtain full details and assistance on how to protect your installation, please contact your local Schneider Electric representative.
Your representative will be fully aware of the situation and can support you through the process.
For further information on vulnerabilities in Schneider Electric products, please visit the Schneider Electric cyber security web page at:
http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cybersecurity.page