A critical vulnerability has been found in Schneider Electric’s StruxureWare Data Centre Expert which could potentially allow an outsider to obtain remote access to sensitive information such as passwords.
Potentially putting banks, insurers, medical centres and other users of StruxureWare Data Centre at risk, Schneider has issued a patch for the vulnerability and has urged all installations of the software to be upgraded to version 7.4.
The vulnerability found in StruxtureWare Data Centre, which is designed to monitor physical infrastructure, was rated 7.6 on the CVSS v3 scale. This high score reflects the ability of an outsider to obtain remote access to sensitive information found in critical data center support systems that are connected to StruxureWare Data Center Expert. An attacker can recover passwords from RAM on the client side of the platform, where they are held in unencrypted form.
IIya Karpov, Head of the ICS Research and Audit Unit at Positive Technologies, the company that discovered the vulnerability, said: “A vulnerability such as this threatens the functioning of critical systems on which data centres depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling.”
Positive Technologies researchers previously uncovered vulnerabilities in Schneider Electric Wonderware Information Server in 2013 and 2014.
Karpov added: “A hacker could use this flaw to penetrate the internal network at a data centre, obtain confidential information, or even cause physical harm.”
