Missing Encryption of Sensitive Data in Schneider Electric products - CVE-2021-22782
Published: July 14, 2021 / Updated: June 2, 2022
Vulnerability identifier: #VU54866
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-22782
CWE-ID: CWE-311
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
EcoStruxure Process Expert
SCADAPack RemoteConnect for x70
SCADAPack 470
SCADAPack 474
SCADAPack 570
SCADAPack 574
SCADAPack 575 RTUs
EcoStruxure Control Expert
EcoStruxure Process Expert
SCADAPack RemoteConnect for x70
SCADAPack 470
SCADAPack 474
SCADAPack 570
SCADAPack 574
SCADAPack 575 RTUs
EcoStruxure Control Expert
Software vendor:
Schneider Electric
Schneider Electric
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a missing encryption of sensitive data issue. A remote attacker can access a project file and cause an information leak allowing disclosure of network and process information, credentials, or intellectual property.
Remediation
Install updates from vendor's website.
External links
- https://ics-cert.us-cert.gov/advisories/icsa-21-194-02
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-01
- https://ics-cert.kaspersky.com/advisories/2022/05/20/klcert-21-007-schneider-electric-ecostruxure-control-expert-process-expert-scadapack-remoteconnect-for-x70-information-leak-from-project-file/