Schneider Data Center Monitoring Product Leaks Passwords
1.2.2017 securityweek Krypto
Schneider Electric has released an update for its StruxureWare Data Center Expert software suite to address a high severity vulnerability related to how the product stores passwords.
StruxureWare Data Center Expert is a DCIM (Data Center Infrastructure Management) solution designed for monitoring physical infrastructure, including security, power and the environment. The product has been used by financial institutions, media companies, insurers, and healthcare organizations.
Researchers at Positive Technologies discovered that the software stores passwords in cleartext in the random access memory (RAM), allowing a remote attacker to obtain the valuable information.
“A hacker could use this flaw to penetrate the internal network at a data center, obtain confidential information, or even cause physical harm,” explained Ilya Karpov, head of the ICS Research and Audit Unit at Positive Technologies. “Data Center Infrastructure Management (DCIM) platforms have the 'keys to the kingdom' at a data center, since they are connected to all installed systems.”
“A vulnerability such as this threatens the functioning of critical systems on which data centers depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling,” Karpov added.
SAVE THE DATE: ICS Cyber Security Conference | Singapore - April 25-27, 2017
The flaw affects StruxureWare Data Center Expert 7.3.1 and prior, and it has been addressed with the release of version 7.4.0.
While ICS-CERT has not released an advisory for this weakness, the organization did disclose other Schneider Electric vulnerabilities in the past two weeks.
Users have been warned of a medium severity cross-site scripting (XSS) vulnerability in the homeLYnk logic controller for home automation, and a high severity credentials management issue (i.e. default passwords) affecting Wonderware Historian.
Schneider rolled out a firmware update to patch the XSS flaw in the homeLYnk controller, and provided mitigation advice for the Wonderware Historian security hole.