Attacks and Vulnerabilities
News
Vendors
Vulnerabilities

CISA identifies new vulnerability in Schneider Electric’s EcoStruxure Platform

December 03, 2020
CISA identifies new vulnerability in Schneider Electric’s EcoStruxure Platform

The Cybersecurity and Infrastructure Security Agency (CISA) said Tuesday that an improper privilege management vulnerability has been found in Schneider Electric’s EcoStruxure Platform. The presence of the vulnerability can cause privilege escalation on the workstation when interacting directly with a driver installed by the runtime software of EcoStruxure Operator Terminal Expert.

The EcoStruxure Operator Terminal Expert product is configuration software for the Harmony range of push buttons, switches and pilot lights, which supports gestures and user interface designs. Failure to apply the fixes provided may lead to unauthorized command execution by a local Windows user, which could result in loss of availability, confidentiality and integrity of the workstation on which the EcoStruxure Operator Terminal Expert runtime is installed.

The vulnerability has been assigned CVE-2020-7544, and a CVSS v3 base score of 7.4 has been measured. It is currently undergoing analysis as not all information is available, according to the National Vulnerability Database.

Used globally in commercial facilities, energy, food and agriculture, government facilities, transportation systems, water and wastewater systems, the EcoStruxure Platform functions as the digital backbone that integrates operational technology (OT) offerings with the latest in IT technology to unlock trapped value in connected environments.

Schneider Electric reported in a security notification dated Nov. 10 that the vulnerability affects EcoStruxure Operator Terminal Expert Runtime 3.1 Service Pack 1A and prior installed on Windows PC using legacy BIOS and Harmony iPC (HMIG5U, HMIG5U2) using the legacy BIOS component which comes pre-installed on Windows computers. Windows PCs using Unified Extensible Firmware Interface (UEFI) are not impacted by the vulnerability.

BIOS contains the software element that the computer uses at startup and allows the CPU to communicate with connected input and output devices like the keyboard or monitor, while UEFI is a specification that defines a software interface between an operating system and platform firmware.

Lasse Trolle Borup of Danish Cyber Defense has been recognized by Schneider Electric for identifying and helping to coordinate a response to the vulnerability.

The Washington, D.C., based security agency advises users to take defensive measures to minimize the risk of exploitation of the vulnerability by decreasing network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet. It also suggested that users locate control system networks and remote devices behind firewalls, and isolate them from the business network.

In case remote access is required, CISA recommended that users adopt secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. It also suggested that organizations perform proper impact analysis and risk assessment prior to deploying defensive measures.

The French multinational that specializes in energy management and automation offerings released version 3.1 Service Pack 1B of the EcoStruxure Operator Terminal Expert product with a fix for the vulnerability available through Schneider Electric Software Update (SESU).

In case users choose not to adopt the fix provided, they should use EcoStruxure Operator Terminal Expert runtime software only on a trusted workstation, and strengthen the workstation by following cybersecurity practices such as updated antivirus and operating systems, and strong password policies. Enabled users can identify if their PC uses the UEFI technology by using the msinfo32.exe provided by Microsoft Windows system command.

Schneider Electric announced in March that it had joined the Cybersecurity Tech Accord, an agreement among over 144 global companies that have committed to protect and empower civilians online, while improving security, stability and resilience of cyberspace.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet's FortiClient EMS
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet’s FortiClient EMS
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
HP details evolution of Raspberry Robin malware, shift in distribution method and threat landscape
HP details evolution of Raspberry Robin malware, shift in distribution method and threat landscape
MITRE Engenuity's Center for Threat-Informed Defense expands cybersecurity community resources
MITRE Engenuity’s Center for Threat-Informed Defense expands cybersecurity community resources