Schneider Electric EcoStruxure Power Design
Monitor7.8ICS-CERT ICSA-24-072-01Mar 12, 2024
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
EcoStruxure Power Design - Ecodial contains a deserialization flaw that allows arbitrary code execution when a malicious project file is opened. The vulnerability affects all versions of the Ecodial NL, INT, and FR variants. An attacker could craft a malicious project file that, when opened by an engineer on the workstation, executes arbitrary code with user privileges. Schneider Electric is developing a fix for future versions but has not yet released a patch. Until remediation is available, Schneider recommends integrity checking of project files using hash verification, restricting file sources to trusted parties, and implementing network and physical access controls to isolate the engineering environment.
What this means
What could happen
An attacker with access to the workstation running EcoStruxure Power Design could execute arbitrary code on the device, potentially allowing them to modify electrical system design files or disable engineering controls. This could lead to misconfiguration of power distribution systems or loss of design integrity for critical electrical infrastructure.
Who's at risk
Electrical utility engineers and power system design teams using Schneider Electric EcoStruxure Power Design (Ecodial variants: NL, INT, FR) are affected. Any organization designing electrical distribution systems or performing power system engineering that relies on these Schneider applications should assess their exposure. All versions are vulnerable with no patch currently available.
How it could be exploited
An attacker must gain local access to a workstation running the affected software, typically by tricking a user into opening a malicious project file (CWE-502: deserialization of untrusted data). The file is processed by the application, triggering code execution with the privileges of the user running the software.
Prerequisites
- Local access to the engineering workstation running EcoStruxure Power Design
- User must open a malicious project file
- No special privileges or credentials required
No authentication requiredLocal access required (not remotely exploitable)Low complexity attackNo patch availableAffects electrical infrastructure designUntrusted data deserialization (CWE-502)
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
EcoStruxure Power Design - Ecodial NL: vers:all/*All versionsNo fix (EOL)
EcoStruxure Power Design - Ecodial FR: vers:all/*All versionsNo fix (EOL)
EcoStruxure Power Design - Ecodial INT: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/10
Do now
0/5WORKAROUNDCompute and maintain a hash of all project files; regularly verify file integrity before opening
HARDENINGStore project file hashes in a separate location from the project files themselves
WORKAROUNDWhen sharing project files, provide hash values through a separate out-of-band channel (email, call, etc.) to prevent tampering during transfer
WORKAROUNDOnly open project files received from trusted, verified sources; reject unsolicited files
WORKAROUNDScan all removable media (USB drives, CDs) for malware before connecting to the engineering workstation
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HARDENINGUse secure communication protocols (TLS/VPN) when exchanging project files over the network
HARDENINGApply general workstation hardening: disable unnecessary services, keep OS and applications patched, configure host firewall
HARDENINGRemove user accounts for personnel who no longer require access to the application; implement least privilege access controls
HARDENINGImplement physical access controls: restrict access to the workstation and ensure it is not left in Program mode when unattended
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: EcoStruxure Power Design - Ecodial NL: vers:all/*, EcoStruxure Power Design - Ecodial FR: vers:all/*, EcoStruxure Power Design - Ecodial INT: vers:all/*. Apply the following compensating controls:
HARDENINGIsolate the engineering workstation network from the business network and the Internet using firewalls and network segmentation
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c7142a11-0450-4dde-a38e-5d2de8ac95d4