Schneider Electric StruxureWare Building Expert Plaintext Credentials Vulnerability

Low RiskICS-CERT ICSA-15-258-01Jun 18, 2015

Summary

StruxureWare Building Expert multi-purpose management device transmits credentials in plaintext over the network. An attacker with network access can capture these credentials and gain unauthorized control of the building automation and energy management system. The product is no longer receiving security updates, and no vendor patch is planned.

What this means

What could happen

An attacker with network access to the StruxureWare Building Expert device could capture plaintext credentials from network traffic, gaining unauthorized access to the building automation and energy management system.

Who's at risk

Building automation and energy management operators using Schneider Electric StruxureWare Building Expert multi-purpose management devices in commercial facilities, office buildings, and industrial sites where HVAC, lighting, and energy consumption are monitored and controlled.

How it could be exploited

An attacker on the same network as the StruxureWare Building Expert device could sniff network traffic to intercept credentials transmitted in plaintext, then use those credentials to authenticate to the device and modify building automation settings, alter energy management parameters, or disable monitoring and control functions.

Prerequisites

Network access to the StruxureWare Building Expert device
Ability to capture network traffic (e.g., positioned on the network segment or able to perform ARP spoofing)
Knowledge of which ports or protocols transmit credentials

No patch availablePlaintext credentials over networkEnd-of-life productDefault credentials risk

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

StruxureWare Building Expert, multi-purpose management device (MPM): <2.15<2.15No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDeploy a firewall or network access control list to restrict access to the StruxureWare Building Expert device to only authorized management workstations

WORKAROUNDChange all default credentials on the StruxureWare Building Expert device to strong, unique passwords

Mitigations - no patch available

0/3

StruxureWare Building Expert, multi-purpose management device (MPM): <2.15 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the StruxureWare Building Expert device from untrusted networks

HARDENINGMonitor network traffic for suspicious connections to the device and implement network intrusion detection

HARDENINGEvaluate and plan for replacement of the StruxureWare Building Expert device, as no vendor patch is available and the product is not receiving security updates

CVEs (1)

CVE-2015-3962

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8ec2c0ec-800c-427a-ae5f-e08bc0f801ed