OTPulse
FeedAboutContact

C-Bus Toolkit

Monitor6.5SEVD-2021-194-04Jul 13, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

C-Bus Toolkit versions 1.15.8 and earlier contain a vulnerability (CWE-306) that could allow remote code execution on a computer running the application. C-Bus Toolkit is used to configure and commission C-Bus building automation installations. Successful exploitation requires user interaction—an attacker would need the user to open a specially crafted file or input in the application. If exploited, an attacker could execute arbitrary code with the privileges of the user running the application.

What this means
What could happen
An attacker could execute arbitrary code on an engineering workstation running C-Bus Toolkit, potentially compromising the integrity of C-Bus building automation configurations or the workstation itself.
Who's at risk
Building automation and energy management personnel who use Schneider Electric's C-Bus Toolkit on engineering workstations to configure and commission C-Bus home automation and building control systems should apply this patch.
How it could be exploited
An attacker could send a specially crafted file or network request to a user running C-Bus Toolkit. If the user opens or interacts with the malicious file in the application, the vulnerability is triggered and arbitrary code runs on the workstation with the user's privileges.
Prerequisites
  • User interaction required (the user must open or interact with the malicious input in C-Bus Toolkit)
  • C-Bus Toolkit v1.15.8 or earlier must be installed and running
  • Network-accessible C-Bus Toolkit or ability to deliver malicious file to user
remotely exploitablelow complexityrequires user interactionaffects engineering workstations
Exploitability
Moderate exploit probability (EPSS 1.4%)
Affected products (1)
ProductAffected VersionsFix Status
C-Bus Toolkit v1.15.8 and prior≤ 1.15.81.15.9
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate C-Bus Toolkit to version 1.15.9 or later and reboot the engineering workstation
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/09056d8e-40dc-4d51-9834-be09b2585fee