Positive Technologies discovers security vulnerability in data center monitoring system that could allow remote access to unencrypted passwords

Schneider Electric issues patch for StruxureWare Data Center Expert, used by banks, media corporations, insurers, medical centers, and other companies to monitor critical systems such as video surveillance and fire suppression.

Positive Technologies has discovered a critical vulnerability in Schneider Electric StruxureWare Data Center Expert. The product from Schneider Electric, designed to monitor physical infrastructure at data centers, is used by banks, media corporations, circuit board manufacturers, insurers, medical centers, and other companies to manage the functioning of everything from cooling to backup generators at data centers.

The vulnerability is rated 7.6 on the CVSS v3 scale, a high score that reflects the ability of an outsider to obtain remote access to sensitive information found in critical data center support systems that are connected to StruxureWare Data Center Expert. An attacker can recover passwords from RAM on the client side of the platform, where they are held in unencrypted form.

"A hacker could use this flaw to penetrate the internal network at a data center, obtain confidential information, or even cause physical harm," said Ilya Karpov, Head of the ICS Research and Audit Unit at Positive Technologies. "Data Center Infrastructure Management (DCIM) platforms have the 'keys to the kingdom' at a data center, since they are connected to all installed systems. A vulnerability such as this threatens the functioning of critical systems on which data centers depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling."

Schneider Electric urges updating all installations of StruxureWare Data Center Expert to version 7.4.

In 2013 and 2014, Positive Technologies researchers also uncovered vulnerabilities in Schneider Electric Wonderware Information Server. At the Positive Hack Days IV international forum, participants in the Critical Infrastructure Attackcompetition located a number of vulnerabilities in Schneider Electric systems. In addition, in 2015 Ilya Karpov identified an issue involving unencrypted storage of passwords in InTouch Machine Edition 2014.