EcoStruxure Power Design - Ecodial

Monitor7.8SEVD-2024-072-02Mar 12, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

EcoStruxure Power Design - Ecodial contains an unsafe deserialization vulnerability (CWE-502) that could allow remote code execution when an engineer opens a malicious project file. The application deserializes untrusted data without proper validation. All language versions (NL, INT, FR) and all versions of the product are affected. Schneider Electric has not provided a software patch for this vulnerability.

What this means

What could happen

An attacker who can trick an engineer into opening a malicious project file could execute arbitrary code on the design workstation, potentially compromising the entire electrical system design and configuration for your power distribution network.

Who's at risk

Electrical utilities and power distribution companies using EcoStruxure Power Design for design of power distribution systems are affected. This impacts engineering teams who use the software to configure electrical equipment and manage system specifications.

How it could be exploited

An attacker creates a malicious EcoStruxure Power Design project file containing serialized malicious code. When an engineer opens this file in EcoStruxure Power Design, the application deserializes the untrusted data without validation, executing the attacker's code on the engineer's workstation with their privilege level.

Prerequisites

Engineer must open a malicious project file (requires social engineering or file sharing compromise)
EcoStruxure Power Design application must be installed on the engineer's workstation
User interaction required to open the malicious file

Unsafe deserialization (CWE-502)Requires user interaction to exploitAll versions affectedNo vendor patch available

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

EcoStruxure Power Design - NL All versionsAll versionsNo fix (EOL)

EcoStruxure Power Design - INT All versionsAll versionsNo fix (EOL)

EcoStruxure Power Design - FR All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGDo not connect design workstations to the business network or any network other than the isolated engineering network

HARDENINGRestrict file transfer to design workstations via approved channels only (e.g., scanned USB drives, not email or cloud storage)

HARDENINGEducate engineering staff to avoid opening project files from untrusted sources

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: EcoStruxure Power Design - NL All versions, EcoStruxure Power Design - INT All versions, EcoStruxure Power Design - FR All versions. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate design workstations from the broader engineering network and business network

CVEs (1)

CVE-2024-2229

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1aa9d252-c99d-4dcc-909c-81792c83ff46