Schneider Electric September 2021 security notifications

On 14 September 2021, Schneider Electric (SE) released seven security notifications on vulnerabilities in multiple products with some of them remaining unfixed. We recommend applying the mitigations and updates currently listed by the vendor.

Details

• The risks from two unpatched vulnerabilities in all current versions of monitoring software StruxureWare Data Center Expert could be mitigated by following the SE security hardening guidelines. Both were assigned a CVSS v3.1 Base Score of 9.1. The future versions of StruxureWare Data Center Expert will include a fix for these vulnerabilities:
  • CVE-2021-22794 is a path traversal vulnerability. A threat actor would need to send a specially-crafted request, and be authenticated in order to perform arbitrary code execution on a vulnerable system.
  • CVE-2021-22795 could allow the execution of arbitrary OS commands on vulnerable system(s). A remote user would need to pass specially-crafted data to the application.

• SE provided a list of mitigations to be applied for three vulnerabilities affecting Web Server on Modicon M340, Legacy Offers Modicon Quantum and Premium and Associated Communication Modules. Unmitigated systems are at risk of being targeted via the web server, which could result in disclosure of sensitive information or denial of service of the controller.
• CVE-2021-22797 also remains unpatched and affects all current versions of EcoStruxure Control Expert, EcoStruxure Process Expert DCS, and SCADAPack RemoteConnect. An authenticated threat actor could use this flaw for opening a corrupted project file, which could then result in arbitrary code execution on the engineering workstation.
• SE added remediations for SAGE RTU C3414 CPU, C3413 CPU and C3412 CPU affected by critical third-party vulnerabilities in ISaGRAF Workbench and ISaGRAF Runtime products embedded in multiple SE offerings. Malicious actors could take advantage of these flaws to access and disclose sensitive information, for privilege escalation, and in some cases for remote code execution.
• Version 1.15.10 of the C-Bus Toolkit and Version 2.11.8 of the C-Gate Server were released to address multiple security issues that could lead to remote code execution under certain conditions.

Recommendations

• Refer to Schneider Electric Recommended Cybersecurity Best Practices document to ensure the defence-in-depth approach.
• Follow SE security hardening guidelines in the security notifications listed above to reduce the risk.
• If you are using any of the vulnerable products that have fixes available, apply the latest updates as soon as possible.

References

• Schneider Electric Security Notifications
• Cybersecurity Best Practices