Schneider Data Center Monitoring Product Leaks Passwords

Schneider Electric has released an update for its StruxureWare Data Center Expert software suite to address a high severity vulnerability related to how the product stores passwords.

StruxureWare Data Center Expert is a DCIM (Data Center Infrastructure Management) solution designed for monitoring physical infrastructure, including security, power and the environment. The product has been used by financial institutions, media companies, insurers, and healthcare organizations.

Researchers at Positive Technologies discovered that the software stores passwords in cleartext in the random access memory (RAM), allowing a remote attacker to obtain the valuable information.

“A hacker could use this flaw to penetrate the internal network at a data center, obtain confidential information, or even cause physical harm,” explained Ilya Karpov, head of the ICS Research and Audit Unit at Positive Technologies. “Data Center Infrastructure Management (DCIM) platforms have the ‘keys to the kingdom’ at a data center, since they are connected to all installed systems.”

“A vulnerability such as this threatens the functioning of critical systems on which data centers depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling,” Karpov added.

SAVE THE DATE: ICS Cyber Security Conference | Singapore – April 25-27, 2017

The flaw affects StruxureWare Data Center Expert 7.3.1 and prior, and it has been addressed with the release of version 7.4.0.

“Schneider Electric has become aware of a vulnerability in StruxureWare Data Center Expert 7.3.1.114 and 7.2.4 and earlier versions of the product. The vulnerability identified is related to the storage of the product passwords. It has been discovered that some passwords are stored in cleartext in random access memory (RAM). We issued a Security Notification that shares mitigation recommendations,” Schneider Electric told SecurityWeek in an emailed statement.

While ICS-CERT has not released an advisory for this weakness, the organization did disclose other Schneider Electric vulnerabilities in the past two weeks.

Users have been warned of a medium severity cross-site scripting (XSS) vulnerability in the homeLYnk logic controller for home automation, and a high severity credentials management issue (i.e. default passwords) affecting Wonderware Historian.

Schneider rolled out a firmware update to patch the XSS flaw in the homeLYnk controller, and provided mitigation advice for the Wonderware Historian security hole.

*Updated with statement from Schneider Electric

Related: ICS-CERT Issues Alerts After Expert Discloses Power Meter Flaws

Related: Flaw in Schneider Industrial Firewalls Allows Remote Code Execution

Related: Security Firm Discloses Unpatched Flaws in Schneider HMI Product