Loading table of contents...
On 12 October 2021, Schneider Electric (SE) released six security notifications on vulnerabilities in multiple products. We recommend applying the updates currently listed by the vendor.
Details
- Conext™ Advisor & Conext™ Control V2 received updates for a number of Windows flaws that were fixed by Microsoft in 2019 and 2020. The most critical of these are:
- CVE-2020-0609 and CVE-2020-0610, remote code execution vulnerabilities in Windows Remote Desktop Gateway (RD Gateway). CVSS v3.1 Base Score 9.8.
- CVE-2020-0796, a remote code execution vulnerability in Windows SMBv3 Client/Server. CVSS v3.1 Base Score 10.
- CVE-2020-1350, a remote code execution vulnerability in Windows Domain Name System servers. CVSS v3.1 Base Score 10.
- CVE-2020-1472, an elevation of privilege vulnerability in the Netlogon Remote Protocol (MSNRPC). CVSS v3.1 Base Score 10.
- IGSS Data Collector (dc.exe) V15.0.0.21243 and prior received updates for multiple flaws with the most critical ones allowing an unauthorized party to gain access to the Windows Operating System on the machine running IGSS in production. Two of the vulnerabilities received a CVSS v3.1 Base Score of 9.8:
- CVE-2021-22802, a Buffer Copy without Checking Size of Input vulnerability.
- CVE-2021-22803, an Unrestricted Upload of File with Dangerous Type vulnerability.
- Modicon TM5 modules received updates for multiple vulnerabilities fixed in 2020 and known as “AMNESIA:33”. The TCP/IP stack code in the Modicon TM5 was affected by two of them:
- CVE-2020-13987, an Out-of-bounds read when calculating the checksums for IP packets. CVSS v3.1 Base Score 7.5.
- CVE-2020-17438, an Out-of-bounds write when reassembling fragmented IP packets. CVSS v3.1 Base Score 9.8.
Recommendations
- Refer to SE's Recommended Cybersecurity Best Practices document to ensure a defence-in-depth approach.
- If you are using any of the vulnerable products that have fixes available, apply the latest updates as soon as possible.
References