Schneider Electric PACTware

Plan Patch7.1SEVD-2020-224-08Aug 11, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric PACTware versions 5.0.5.30 and prior, and 4.1 SP5 and prior, contain multiple vulnerabilities that allow a local user to modify configuration files and process control logic with high integrity and availability impact. An attacker with local user privileges (not requiring administrator rights) could alter industrial device configurations deployed through PACTware.

What this means

What could happen

An attacker with local access to an engineering workstation running PACTware could modify process configurations or control logic, potentially disrupting industrial control operations or altering setpoints on connected devices.

Who's at risk

Energy sector organizations using Schneider Electric PACTware for engineering and configuration of industrial automation devices including PLCs, variable frequency drives (VFDs), and other Schneider Electric compatible devices. This affects anyone with engineering workstations running PACTware for device commissioning, maintenance, or configuration updates.

How it could be exploited

An attacker with local user privileges on a workstation running vulnerable PACTware could exploit privilege escalation or file manipulation vulnerabilities to gain integrity and availability control over PACTware configurations. These modified configurations could then be deployed to connected industrial devices (PLCs, variable frequency drives, etc.) when an operator loads them into the device.

Prerequisites

Local access to a workstation running PACTware
User account with permissions to run PACTware (no admin required based on CVSS PR:L)
PACTware version 5.0.5.30 or earlier, or version 4.1 SP5 or earlier

Local access required (lower remote risk, but common in engineering shops)Low complexity attackAffects integrity and availability of control configurationsImpacts engineering/commissioning workflowHigh CVSS score (7.1)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Schneider Electric PACTware V5.0.5.30 and prior≤ 5.0.5.304.1 SP6a

Schneider Electric PACTware V4.1 SP5 and prior≤ 4.1 SP54.1 SP6a

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict local access to engineering workstations running PACTware to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Schneider Electric PACTware to version 4.1 SP6a or version 5.0.5.31 or later

HARDENINGImplement file integrity monitoring on PACTware configuration files to detect unauthorized modifications

CVEs (2)

CVE-2020-9403 CVE-2020-9404

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a5673374-aa67-47be-8b83-6b4748dff3c6