OTPulse
FeedAboutContact

CanBRASS

Monitor5.3SEVD-2022-165-07Jun 14, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Schneider Electric CanBRASS contains a buffer overflow vulnerability (CWE-119) in the design and costing tool for Canalis busbar trunking systems. The vulnerability exists in versions up to 7.5.1 and could allow local code execution if a user interacts with a malicious input.

What this means
What could happen
An attacker with local access to a system running CanBRASS could execute arbitrary code with the privileges of the user running the application, potentially compromising the integrity of busbar trunking designs and project data.
Who's at risk
Energy sector organizations that use Schneider Electric CanBRASS for designing and costing Canalis busbar trunking installations. This includes electrical engineering teams, system integrators, and facility design departments at utilities and industrial facilities.
How it could be exploited
An attacker would need to interact with a user running a vulnerable version of CanBRASS on a local system (e.g., via a malicious file or social engineering). When the user opens a crafted input in CanBRASS 7.5.1 or earlier, the buffer overflow vulnerability could allow code execution within the application's context.
Prerequisites
  • Local system access or ability to deliver malicious input to a user running CanBRASS
  • User interaction required (user must open a file or interaction point in CanBRASS)
  • Vulnerable version CanBRASS 7.5.1 or earlier installed on Windows or applicable platform
Local access required (not remotely exploitable)User interaction requiredLow exploit probability (0.1% EPSS)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
CanBRASS <=7.5.1≤ 7.5.17.6
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CanBRASS to version 7.6 or later
HOTFIXPlan for system reboot after installation of the patch
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7838898e-925c-4cbb-b31c-1332490f307a