Insufficient Entropy in Schneider Electric products - CVE-2021-22799

 

Insufficient Entropy in Schneider Electric products - CVE-2021-22799

Published: December 3, 2021


Vulnerability identifier: #VU58500
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-22799
CWE-ID: CWE-331
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Schneider Electric
Affected software:
Software Update
EcoStruxure Operator Terminal Expert
SoMove
EcoStruxure Augmented Operator Advisor
EcoStruxure Machine Expert Basic
EcoStruxure Plant Builder
EcoStruxure Power Design
EcoStruxure Automation Expert
EcoStruxure Automation Maintenance Expert
Eurotherm Data Reviewer
Eurotherm iTools
eXLhoist Configuration
Schneider Electric Floating License Manager
Schneider Electric License Manager
Harmony XB5SSoft
Versatile Software BLUE
Vijeo Designer
OsiSense XX Configuration Software
EcoStruxure Control Expert
EcoStruxure Process Expert
EcoStruxure Machine Expert
Zelio Soft 2

Detailed vulnerability description

The vulnerability allows a local user to gain access to sensitive information on the system.

The vulnerability exists due to insufficient entropy issue. A local user can decrypt the SESU proxy password from the registry.


How to mitigate CVE-2021-22799

Install updates from vendor's website.

Sources