Categories: CloudDatacentre

Researchers Uncover Schneider Electric Data Centre System Flaw

Security researchers Positive Technologies have discovered a worrying security vulnerability in a data centre monitoring system that could have allowed attackers to remotely access unencrypted passwrods.

The flaw affects the Schneider Electric StruxureWare Data Center Expert, which is software designed to monitor the physical infrastructure at a data centre including cooling, backup generators, video surveillance and fire suppression.

Password Storage

Positive Technologies rated the flaw as 7.6 on the CVSS v3 scale and Schneider Electric has now  issued a patch for it.

It said that this high score reflects the ability of an outsider to obtain remote access to sensitive information found in critical data centre support systems that are connected to StruxureWare Data Center Expert.

Essentially the flaw could have allowed an attacker to recover passwords from RAM on the client side of the platform, as the passwords were held in unencrypted cleartext form.

“A hacker could use this flaw to penetrate the internal network at a data centre, obtain confidential information, or even cause physical harm,” said Ilya Karpov, Head of the ICS Research and Audit Unit at Positive Technologies.

“Data Centre Infrastructure Management (DCIM) platforms have the ‘keys to the kingdom’ at a data centre, since they are connected to all installed systems,” he added.

“A vulnerability such as this threatens the functioning of critical systems on which data centres depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling.”

Patch Now

Schneider Electric is now urging all customers using StruxureWare Data Center Expert to upgrade to version 7.4 immediately.

“Schneider Electric has become aware of a vulnerability in StruxureWare Data Center Expert 7.3.1.114 and 7.2.4 and earlier versions of the product,” said the firm in its patch documentation. “Special thanks to Ilya Karpov of Positive Technologies who discovered the vulnerability.”

This is not the first time that flaws have been discovered with Schneider Electric products.

In November 2016 for example, security firm Critifence found two “PanelShock” bugs that could have allowed an attacker to overload a line of display panels made by the French industrial control systems giant and effectively take it offline.

And Positive Technologies researchers have also previously discovered vulnerabilities in Schneider Electric Wonderware Information Server back in 2013 and 2014.

And in 2015 Ilya Karpov identified an issue involving unencrypted storage of passwords in InTouch Machine Edition 2014.

Supervisory control and data acquisition (SCADA) systems allow industrial devices to be monitored and controlled remotely.

Security experts have long warned of the potential risks as critical infrastructure is linked to such networks.

Quiz: Are you a security pro?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

15 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

16 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

17 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

18 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

21 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

21 hours ago