#VU58500 Insufficient Entropy in Schneider Electric products - CVE-2021-22799
Published: December 3, 2021
Vulnerability identifier: #VU58500
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-22799
CWE-ID: CWE-331
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Software Update
EcoStruxure Operator Terminal Expert
SoMove
EcoStruxure Augmented Operator Advisor
EcoStruxure Machine Expert Basic
EcoStruxure Plant Builder
EcoStruxure Power Design
EcoStruxure Automation Expert
EcoStruxure Automation Maintenance Expert
Eurotherm Data Reviewer
Eurotherm iTools
eXLhoist Configuration
Schneider Electric Floating License Manager
Schneider Electric License Manager
Harmony XB5SSoft
Versatile Software BLUE
Vijeo Designer
OsiSense XX Configuration Software
EcoStruxure Control Expert
EcoStruxure Process Expert
EcoStruxure Machine Expert
Zelio Soft 2
Software Update
EcoStruxure Operator Terminal Expert
SoMove
EcoStruxure Augmented Operator Advisor
EcoStruxure Machine Expert Basic
EcoStruxure Plant Builder
EcoStruxure Power Design
EcoStruxure Automation Expert
EcoStruxure Automation Maintenance Expert
Eurotherm Data Reviewer
Eurotherm iTools
eXLhoist Configuration
Schneider Electric Floating License Manager
Schneider Electric License Manager
Harmony XB5SSoft
Versatile Software BLUE
Vijeo Designer
OsiSense XX Configuration Software
EcoStruxure Control Expert
EcoStruxure Process Expert
EcoStruxure Machine Expert
Zelio Soft 2
Software vendor:
Schneider Electric
Schneider Electric
Description
The vulnerability allows a local user to gain access to sensitive information on the system.
The vulnerability exists due to insufficient entropy issue. A local user can decrypt the SESU proxy password from the registry.
Remediation
Install updates from vendor's website.