Another Schneider vuln: Plaintext passwords on client-side RAM resolved
Update your StruxureWare Data Center Expert to v7.4, quick!
Schneider Electric has issued a patch for its StruxureWare Data Center Expert industrial control kit following the discovery of a flaw that could allow remote access to unencrypted passwords.
The product is designed to monitor physical infrastructure at data centres handling everything from cooling to backup generators. The flaw – discovered by Positive Technologies – meant an attacker can recover passwords from RAM on the client side of the platform, where they are held in unencrypted form.
"A hacker could use this flaw to penetrate the internal network at a data centre, obtain confidential information, or even cause physical harm," said Ilya Karpov, head of the ICS Research and Audit Unit at Positive Technologies. "A vulnerability such as this threatens the functioning of critical systems on which data centres depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling."
Fortunately, Schneider Electric has developed an update that resolves the vulnerability, rated 7.6 on the CVSS v3 scale. The vendor is urging its customers to upgrade all installations of StruxureWare Data Center Expert to version 7.4.
In a statement, the vendor told El Reg: "Schneider Electric has become aware of a vulnerability in StruxureWare Data Center Expert 126.96.36.199 and 7.2.4 and earlier versions of the product. The vulnerability identified is related to the storage of the product passwords. It has been discovered that some passwords are stored in cleartext in random access memory (RAM). We issued a security notification that shares mitigation recommendations."
Schneider Electric systems have thrown up similar unencrypted password flaws in the past, which has to be a concern, even though both vendor and security researchers collaborated successfully to resolve the latest vulnerability. ®