SB2024101655 - Multiple vulnerabilities in Schneider Electric Data Center Expert
Published: October 16, 2024 Updated: October 18, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-8531)
The vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to improper verification of cryptographic signature. A remote administrator can compromise the target software when an upgrade bundle is manipulated to include arbitrary bash scripts that are executed as root.
2) Missing Authentication for Critical Function (CVE-ID: CVE-2024-8530)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to missing authentication for critical function. A remote attacker can gain access to private data when an already generated "logcaptures" archive is accessed directly by HTTPS.
Remediation
Install update from vendor's website.
References
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-282-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-282-01.pdf
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-289-02
- https://www.zerodayinitiative.com/advisories/ZDI-24-1417/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1416/