CVE-2023-2570 – This vulnerability in the Foxboro.sys driver al... (How to Fix)

Q: What is the severity of CVE-2023-2570?

CVE-2023-2570 has a CVSS score of 7.0 (HIGH). This vulnerability in the Foxboro.sys driver allows local attackers to cause denial-of-service or potentially execute kernel code by sending specially crafted IOCTL calls with invalid array indices. It affects systems running Schneider Electric Foxboro software with the vulnerable driver. Attackers need local user access to exploit this vulnerability.

📋 TL;DR

This vulnerability in the Foxboro.sys driver allows local attackers to cause denial-of-service or potentially execute kernel code by sending specially crafted IOCTL calls with invalid array indices. It affects systems running Schneider Electric Foxboro software with the vulnerable driver. Attackers need local user access to exploit this vulnerability.

💻 Affected Systems

Products:

Schneider Electric Foxboro DCS

Versions: Specific versions not detailed in provided references; check vendor advisory for exact affected versions.

Operating Systems: Windows (based on .sys driver)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Foxboro.sys driver to be loaded and accessible to local users.

📦 What is this software?

Ecostruxure Foxboro Dcs Control Core Services by Schneider Electric

View all CVEs affecting Ecostruxure Foxboro Dcs Control Core Services →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to kernel-level execution, allowing complete system compromise and persistence.

🟠

Likely Case

Local denial-of-service causing system crashes or instability in affected Foxboro systems.

🟢

If Mitigated

Limited impact with proper access controls preventing unauthorized local user access to affected systems.

🌐 Internet-Facing: LOW - Requires local user access, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Insider threats or compromised local accounts could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local user access and ability to craft specific IOCTL calls with unpredictable array indices.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Schneider Electric advisory SEVD-2023-164-04 for specific patched versions.

Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-164-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-164-04.pdf

Restart Required: Yes

Instructions:

1. Download patch from Schneider Electric portal. 2. Apply patch following vendor instructions. 3. Restart affected systems. 4. Verify patch installation.

🔧 Temporary Workarounds

Restrict local user access

windows

Limit local user accounts and implement least privilege access controls to reduce attack surface.

Driver access controls

windows

Implement Windows security policies to restrict access to Foxboro.sys driver.

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized local user access to affected systems.
Monitor for unusual IOCTL calls or system crashes related to Foxboro.sys driver.

🔍 How to Verify

Check if Vulnerable:

Check if Foxboro.sys driver is present and version matches vulnerable range from vendor advisory.

Check Version:

Check driver properties in Windows Device Manager or use: driverquery | findstr Foxboro

Verify Fix Applied:

Verify patch installation through vendor tools or check driver version against patched versions in advisory.

📡 Detection & Monitoring

Log Indicators:

System crashes, blue screens, or unexpected reboots
Unusual IOCTL calls to Foxboro.sys driver

Network Indicators:

Not applicable - local exploitation only

SIEM Query:

Windows Event ID 41 (unexpected shutdown) OR driver-related errors in System logs

📊 Metadata

CVE ID: CVE-2023-2570

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-129

Published: June 14, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2570, you might also want to check these: