Categories: CloudDatacentre

Researchers Uncover Schneider Electric Data Centre System Flaw

Security researchers Positive Technologies have discovered a worrying security vulnerability in a data centre monitoring system that could have allowed attackers to remotely access unencrypted passwrods.

The flaw affects the Schneider Electric StruxureWare Data Center Expert, which is software designed to monitor the physical infrastructure at a data centre including cooling, backup generators, video surveillance and fire suppression.

Password Storage

Positive Technologies rated the flaw as 7.6 on the CVSS v3 scale and Schneider Electric has now  issued a patch for it.

It said that this high score reflects the ability of an outsider to obtain remote access to sensitive information found in critical data centre support systems that are connected to StruxureWare Data Center Expert.

Essentially the flaw could have allowed an attacker to recover passwords from RAM on the client side of the platform, as the passwords were held in unencrypted cleartext form.

“A hacker could use this flaw to penetrate the internal network at a data centre, obtain confidential information, or even cause physical harm,” said Ilya Karpov, Head of the ICS Research and Audit Unit at Positive Technologies.

“Data Centre Infrastructure Management (DCIM) platforms have the ‘keys to the kingdom’ at a data centre, since they are connected to all installed systems,” he added.

“A vulnerability such as this threatens the functioning of critical systems on which data centres depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling.”

Patch Now

Schneider Electric is now urging all customers using StruxureWare Data Center Expert to upgrade to version 7.4 immediately.

“Schneider Electric has become aware of a vulnerability in StruxureWare Data Center Expert 7.3.1.114 and 7.2.4 and earlier versions of the product,” said the firm in its patch documentation. “Special thanks to Ilya Karpov of Positive Technologies who discovered the vulnerability.”

This is not the first time that flaws have been discovered with Schneider Electric products.

In November 2016 for example, security firm Critifence found two “PanelShock” bugs that could have allowed an attacker to overload a line of display panels made by the French industrial control systems giant and effectively take it offline.

And Positive Technologies researchers have also previously discovered vulnerabilities in Schneider Electric Wonderware Information Server back in 2013 and 2014.

And in 2015 Ilya Karpov identified an issue involving unencrypted storage of passwords in InTouch Machine Edition 2014.

Supervisory control and data acquisition (SCADA) systems allow industrial devices to be monitored and controlled remotely.

Security experts have long warned of the potential risks as critical infrastructure is linked to such networks.

Quiz: Are you a security pro?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

7 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

9 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

11 hours ago