Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU58500
Risk: Low
CVSSv3.1: 3.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22799
CWE-ID:
CWE-331 - Insufficient Entropy
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information on the system.
The vulnerability exists due to insufficient entropy issue. A local user can decrypt the SESU proxy password from the registry.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSoftware Update: 2.3.0 - 2.5.1
EcoStruxure Augmented Operator Advisor: All versions
EcoStruxure Control Expert: All versions
EcoStruxure Process Expert: All versions
EcoStruxure Machine Expert: All versions
EcoStruxure Machine Expert Basic: All versions
EcoStruxure Operator Terminal Expert: All versions
EcoStruxure Plant Builder: All versions
EcoStruxure Power Design: All versions
EcoStruxure Automation Expert: All versions
EcoStruxure Automation Maintenance Expert: All versions
Eurotherm Data Reviewer: All versions
Eurotherm iTools: All versions
eXLhoist Configuration: All versions
Schneider Electric Floating License Manager: All versions
Schneider Electric License Manager: All versions
Harmony XB5SSoft: All versions
SoMove: All versions
Versatile Software BLUE: All versions
Vijeo Designer: All versions
OsiSense XX Configuration Software: All versions
Zelio Soft 2: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-336-01
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-02
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.