Schneider Electric Updates
1634Warning Date
Severity Level
Warning Number
Target Sector
14 July, 2021
● High
2021-3191
Energy - Transportation - Water and Utilities - Commercial Facilities - Government Facilities
Description:
Schneider Electric has released security updates to address several vulnerabilities in the following products:
- C-Bus Toolkit Versions 1.15.8 and prior
- EcoStruxure Control Expert, all versions prior to v15.0 SP1
- Including all versions of Unity Pro (former name of EcoStruxure Control Expert)
- EcoStruxure Control Expert v15.0 SP1
- EcoStruxure Process Expert, all versions
- Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert)
- SCADAPack RemoteConnect for x70, all versions
- SCADAPack 470, 474, 570, 574, and 575 RTUs, all versions
- Modicon M580 CPU (part numbers BMEP and BMEH), all versions
- Modicon M340 CPU (part numbers BMXP34), all versions
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- Remote access to the system
- Execute arbitrary code
Best practice and Recommendations:
The CERT team encourages users to review Schneider Electric security advisory and apply the necessary updates:
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-01
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-04
The CERT team encourages users to apply the following best practices:
- Minimizing network exposure for all control system devices and/or systems
- Locating control system networks and devices behind firewalls and isolating them from the enterprise/business network
- When remote access is required, use secure methods such as virtual private networks (VPNs)