Schneider Electric has had to issue a patch for its StruxureWare Data Center Expert software after security firm Positive Technologies discovered a critical vulnerability in the monitoring system.
The vulnerability in the DCIM system used by banks, media corporations, circuit board manufacturers, insurers, medical centers, and others allowed remote access to sensitive information, as well as gave attackers the ability to recover unencrypted cleartext passwords from the system’s RAM.
You shall pass
“A hacker could use this flaw to penetrate the internal network at a data center, obtain confidential information, or even cause physical harm,” Ilya Karpov, head of the ICS research and audit unit at Positive Technologies, said.
“Data center infrastructure management (DCIM) platforms have the ‘keys to the kingdom’ at a data center, since they are connected to all installed systems. A vulnerability such as this threatens the functioning of critical systems on which data centers depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling.”
The vulnerability is rated 7.6 on the Common Vulnerability Scoring System (CVSS) v3 scale from 0-10.
To fix the issue, Schneider has issued a new patch, version 7.4.2, which it urges all users to immediately update to (something Heartbleed shows does not always happen). The steps to take to do this are detailed here.
Positive Technologies previously discovered vulnerabilities in Schneider’s Wonderware Information Server.