Windows Print Spooler embedded in EcoStruxure™ Process Expert

Plan PatchCVSS 8.8SEVD-2021-313-04Nov 9, 2021

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

CVE-2021-34527 and CVE-2021-1675 (PrintNightmare) affect the Windows Print Spooler service embedded in EcoStruxure™ Process Expert DCS. The Print Spooler is enabled by default on the system's Windows machines. An attacker with user credentials can exploit this to perform privileged file operations and achieve remote code execution. Because EcoStruxure™ Process Expert uses embedded virtualization, standard Microsoft patches cannot be applied directly; the vendor must release a fixed version of the product itself.

What this means

What could happen

An attacker with local user credentials could exploit the Windows Print Spooler vulnerability to run arbitrary commands with system privileges on the engineering workstation or DCS server, potentially modifying process setpoints, stopping operations, or compromising the entire control system.

Who's at risk

Organizations operating EcoStruxure™ Process Expert DCS systems for plant automation and infrastructure management are affected. This includes energy utilities, water treatment facilities, and manufacturing plants that use this Schneider Electric control system for process engineering, operation, and maintenance.

How it could be exploited

An attacker with valid user account credentials connects to the EcoStruxure™ Process Expert system over the network and exploits the PrintNightmare vulnerability (CVE-2021-34527 or CVE-2021-1675) in the built-in Windows Print Spooler service through RPC calls on ports 135, 139, or 445 to escalate privileges and execute arbitrary code.

Prerequisites

Valid user account on the EcoStruxure™ Process Expert system or connected engineering workstation
Network access to RPC Endpoint Mapper (port 135/TCP) and/or SMB ports (139/TCP or 445/TCP)
Print Spooler service running and enabled on the target system

Remotely exploitable over networkRequires valid user credentials (low barrier for internal attacker)Low complexity attackHigh CVSS score (8.8)Affects distributed control system engineering and operationDefault Print Spooler service enables exploitation

Affected products (1)

ProductAffected VersionsFix Status

EcoStruxure™ Process Expert<V2021V2021

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the Print Spooler service on all EcoStruxure™ Process Expert workstations and servers where printer functionality is not required

HARDENINGImplement network segmentation and firewall rules to block unauthorized access to RPC Endpoint Mapper (port 135/TCP) and SMB ports (139/TCP and 445/TCP)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure™ Process Expert to version 2021 or later

Long-term hardening

0/1

HARDENINGApply Windows hardening recommendations from the Schneider Electric Cybersecurity Reference Manual

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/086be734-1cb7-4095-bf23-7c74dbf233e4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.