20.08.2021 Schneider Electric Fixes Multiple Vulnerabilities

by Elena Lapina

Schneider Electric has recently published advisories covering multiple vulnerabilities in its products and third-party components. It is recommended that these updates should be applied as soon as possible.

Details

  • In August, Schneider Electric (SE) fixed a total of 25 vulnerabilities, three rated Critical, 18 High and four Medium. The most severe issues are related to updates in third-party product updates released earlier this year.
  • Multiple Microsoft Windows vulnerabilities were fixed in SE’s NTZ Mekhanotronika Rus. LLC control panels that use Windows operating system:
    • CVE-2021-31166 – an HTTP Protocol Stack Remote Code Execution vulnerability. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. CVSS v3.0 Base Score: 9.8.
    • Windows Print Spooler vulnerabilities commonly known as PrintNightmare, and tracked as CVE-2021-34527 and CVE-2021-1675. Threat actors who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. They could then install programs; view, change, or delete data; or create new accounts with full user rights. CVSS v3.1 Base Score: 8.8.
  • Treck Inc.’s HTTP Server component used in the Schneider Electric TM3BC bus coupler module is affected by CVE-2020-25066. It’s a heap-based buffer overflow vulnerability that could allow denial of service (crash/reset) or arbitrary code execution. CVSS v3.1 Base Score: 10.
  • Programmable Automation Controllers (PacDrive) M were affected by several high-severity vulnerabilities in CODESYS V2 runtime software. The flaws are tracked as CVE-2021-30186, CVE-2021-30188, and CVE-2021-30195, and could cause a denial-of-service condition. CVSS v3.0 Base Score: 8.8.
  • Five of vulnerabilities in the NicheStack TCP/IP stack, known “INFRA:HALT”, affect Schneider Electric’s Lexium motion control drives. The flaws are tracked as CVE-2021-31400, CVE-2021-31401, CVE-2020-35683, CVE-2020-35684, and CVE-2020-35685, and could be used for denial of service. CVSS v3.0 Base Score: 7.5

Recommendations

  • We recommend reviewing the Schneider Electric advisories and applying the latest updates to mitigate the risk.
  • Refer to the SE Recommended Cybersecurity Best Practices and industry guidance below to assess your organization’s security posture.

References

 

Request Demo

Fill out the form and we will send you details about our demo.