OTPulse
FeedAboutContact

Schneider Electric Software Update

Low Risk3.8SEVD-2021-313-02Nov 9, 2021
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Schneider Electric Software Update (SESU) versions 2.3.0 through 2.5.1 contain a vulnerability in the handling of proxy server credentials. When users manually configure proxy settings with credentials in SESU, those credentials are stored with improper protection. An attacker with local access to the machine could potentially decrypt and steal these credentials, which could be used to intercept or manipulate network communications and software updates.

What this means
What could happen
An attacker with local access to a machine running vulnerable SESU can decrypt and steal proxy server credentials stored by the software. These credentials could then be used to intercept or manipulate network traffic for Schneider Electric product updates.
Who's at risk
Energy sector organizations using Schneider Electric Software Update (SESU) to manage product updates should care about this issue. Anyone managing SESU deployments on networked workstations or servers in control system environments is at risk if proxy credentials are stored.
How it could be exploited
An attacker who gains local access to a machine where SESU is installed can read the improperly protected proxy credentials from the software's configuration. The attacker would then decrypt these credentials and use them to intercept or redirect software updates and security patches for other Schneider Electric products.
Prerequisites
  • Local access to the machine running SESU
  • SESU version 2.3.0 through 2.5.1 installed
  • Proxy credentials configured in SESU with manual settings
Weak credential protectionLocal access requiredLow CVSS score but affects update delivery mechanism
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Schneider Electric Software Update, V2.3.0 through V2.5.1≥ 2.3.0|≤ 2.5.12.5.2
Remediation & Mitigation
0/3
Do now
0/2
WORKAROUNDIf upgrade is not immediately possible, do not store proxy credentials in SESU—use a system-level proxy or configure SESU without saved credentials
HARDENINGRestrict local access to machines running SESU to authorized users only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SESU to version 2.5.2 or later
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/9c876a44-e06d-4a7a-aaaf-37282b75a8d5
Schneider Electric Software Update | CVSS 3.8 - OTPulse