The Cybersecurity and Infrastructure Security Agency (CISA) said Tuesday that an improper privilege management vulnerability has been found in Schneider Electric’s EcoStruxure Platform. The presence of the vulnerability can cause privilege escalation on the workstation when interacting directly with a driver installed by the runtime software of EcoStruxure Operator Terminal Expert.
The EcoStruxure Operator Terminal Expert product is configuration software for the Harmony range of push buttons, switches and pilot lights, which supports gestures and user interface designs. Failure to apply the fixes provided may lead to unauthorized command execution by a local Windows user, which could result in loss of availability, confidentiality and integrity of the workstation on which the EcoStruxure Operator Terminal Expert runtime is installed.
The vulnerability has been assigned CVE-2020-7544, and a CVSS v3 base score of 7.4 has been measured. It is currently undergoing analysis as not all information is available, according to the National Vulnerability Database.
Used globally in commercial facilities, energy, food and agriculture, government facilities, transportation systems, water and wastewater systems, the EcoStruxure Platform functions as the digital backbone that integrates operational technology (OT) offerings with the latest in IT technology to unlock trapped value in connected environments.
Schneider Electric reported in a security notification dated Nov. 10 that the vulnerability affects EcoStruxure Operator Terminal Expert Runtime 3.1 Service Pack 1A and prior installed on Windows PC using legacy BIOS and Harmony iPC (HMIG5U, HMIG5U2) using the legacy BIOS component which comes pre-installed on Windows computers. Windows PCs using Unified Extensible Firmware Interface (UEFI) are not impacted by the vulnerability.
BIOS contains the software element that the computer uses at startup and allows the CPU to communicate with connected input and output devices like the keyboard or monitor, while UEFI is a specification that defines a software interface between an operating system and platform firmware.
Lasse Trolle Borup of Danish Cyber Defense has been recognized by Schneider Electric for identifying and helping to coordinate a response to the vulnerability.
The Washington, D.C., based security agency advises users to take defensive measures to minimize the risk of exploitation of the vulnerability by decreasing network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet. It also suggested that users locate control system networks and remote devices behind firewalls, and isolate them from the business network.
In case remote access is required, CISA recommended that users adopt secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. It also suggested that organizations perform proper impact analysis and risk assessment prior to deploying defensive measures.
The French multinational that specializes in energy management and automation offerings released version 3.1 Service Pack 1B of the EcoStruxure Operator Terminal Expert product with a fix for the vulnerability available through Schneider Electric Software Update (SESU).
In case users choose not to adopt the fix provided, they should use EcoStruxure Operator Terminal Expert runtime software only on a trusted workstation, and strengthen the workstation by following cybersecurity practices such as updated antivirus and operating systems, and strong password policies. Enabled users can identify if their PC uses the UEFI technology by using the msinfo32.exe provided by Microsoft Windows system command.
Schneider Electric announced in March that it had joined the Cybersecurity Tech Accord, an agreement among over 144 global companies that have committed to protect and empower civilians online, while improving security, stability and resilience of cyberspace.