Information disclosure in Schneider Electric SESU



Published: 2021-12-03
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-22799
CWE-ID CWE-331
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Software Update
Client/Desktop applications / Other client software

EcoStruxure Operator Terminal Expert
Client/Desktop applications / Other client software

SoMove
Client/Desktop applications / Other client software

EcoStruxure Augmented Operator Advisor
Server applications / Other server solutions

EcoStruxure Machine Expert Basic
Server applications / Other server solutions

EcoStruxure Plant Builder
Server applications / Other server solutions

EcoStruxure Power Design
Server applications / Other server solutions

EcoStruxure Automation Expert
Server applications / Other server solutions

EcoStruxure Automation Maintenance Expert
Server applications / Other server solutions

Eurotherm Data Reviewer
Server applications / Other server solutions

Eurotherm iTools
Server applications / Other server solutions

eXLhoist Configuration
Server applications / Other server solutions

Schneider Electric Floating License Manager
Server applications / Other server solutions

Schneider Electric License Manager
Server applications / Other server solutions

Harmony XB5SSoft
Server applications / Other server solutions

Versatile Software BLUE
Server applications / Other server solutions

Vijeo Designer
Server applications / Other server solutions

OsiSense XX Configuration Software
Server applications / Other server solutions

EcoStruxure Control Expert
Server applications / SCADA systems

EcoStruxure Process Expert
Server applications / SCADA systems

EcoStruxure Machine Expert
Server applications / SCADA systems

Zelio Soft 2
Hardware solutions / Firmware

Vendor Schneider Electric

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Insufficient Entropy

EUVDB-ID: #VU58500

Risk: Low

CVSSv3.1: 3.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22799

CWE-ID: CWE-331 - Insufficient Entropy

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information on the system.

The vulnerability exists due to insufficient entropy issue. A local user can decrypt the SESU proxy password from the registry.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Software Update: 2.3.0 - 2.5.1

EcoStruxure Augmented Operator Advisor: All versions

EcoStruxure Control Expert: All versions

EcoStruxure Process Expert: All versions

EcoStruxure Machine Expert: All versions

EcoStruxure Machine Expert Basic: All versions

EcoStruxure Operator Terminal Expert: All versions

EcoStruxure Plant Builder: All versions

EcoStruxure Power Design: All versions

EcoStruxure Automation Expert: All versions

EcoStruxure Automation Maintenance Expert: All versions

Eurotherm Data Reviewer: All versions

Eurotherm iTools: All versions

eXLhoist Configuration: All versions

Schneider Electric Floating License Manager: All versions

Schneider Electric License Manager: All versions

Harmony XB5SSoft: All versions

SoMove: All versions

Versatile Software BLUE: All versions

Vijeo Designer: All versions

OsiSense XX Configuration Software: All versions

Zelio Soft 2: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-336-01
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-02


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###