Schneider Electric building manager bug allows security bypass
It's 2016 and a major vendor has had to improve basic password security
Schneider Electric's Struxureware building management system has received a fix to address its default credentials that could have led to nasty consequences.
The product called "Struxureware" – which the company says is used in hospitals, offices, data centres, utilities, the finance industry and a bunch of other verticals – can be circumvented to let an attacker bypass a building's automated controls.
Struxuware Application Server version 1.7 and older is vulnerable to OS command injection by an authenticated user, either locally or remotely.
The ICS-CERT advisory notes that it's exploitable even with a “low skill set”.
The company's note to users (PDF) says the system could be installed with “weak default user credentials”.
Further, the software's Minimal Shell – msh – functions “allow Admin users to circumvent access controls”.
The vulnerability was discovered by independent researcher Karn Ganeshen, who seems to be developing a specialty in turning up default vulnerabilities. In December, he tagged weak defaults in diagnostic accounts in Brocade kit. Update Schneider advises that its patch for Struxuware does not permit default passwords to be used once the system is commissioned and now implements a default password change policy. We're also advised that Struxuware does not have door-opening powers so scenarios outlined in previous versions of this story were not illustrative of the problem.
Schneider's not disputing that Struxuware has, for years, offered a weak default password and credentials management that fall rather short of known best practice. ®