GRI

ICS Advisory: Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products

News Cybersecurity English Guidance
Date: 17th Oct, 2023 Source: Cybersecurity and Infrastructure Security Agency Country: USA Original Source

Brief

Summary:

A critical vulnerability (CVSS v3 9.8) exists in Schneider Electric's EcoStruxure Power Monitoring Expert, Power Operation with Advanced Reports, and Power SCADA Operation with Advanced Reports products. The vulnerability, CVE-2023-5391, allows an attacker to achieve remote code execution by sending a maliciously crafted packet to the application. The affected products are vulnerable to deserialization of untrusted data. Schneider Electric has released hotfixes and recommends cybersecurity best practices to mitigate this vulnerability.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 9.8
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: EcoStruxure Power Monitoring Expert, EcoStruxure Power Operation with Advanced Reports, EcoStruxure Power SCADA
    Operation with Advanced Reports
  • Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products is affected:

  • EcoStruxure Power Monitoring Expert: All versions prior to Hotfix-145271
  • EcoStruxure Power Operation with Advanced Reports: All versions prior to application of Hotfix-145271
  • EcoStruxure Power SCADA Operation with Advanced Reports: All versions prior to Hotfix-145271

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

A deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.

CVE-2023-5391 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Multiple
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative reported this vulnerability to Schneider Electric.

4. MITIGATIONS

Schneider Electric has released the following mitigations/fixes for the following products:

  • EcoStruxure Power Monitoring Expert: A Hotfix for this vulnerability is available by contacting Contact Schneider Electric’s Customer Care Center. The Hotfix can be applied to versions PME 2023, 2022, and 2021, the versions currently in support on the date of this disclosure. Previous versions, please contact customer care to inquire about upgrade paths.

  • EcoStruxure Power Operation with Advanced Reports and EcoStruxure Power SCADA Operation with Advanced Reports: A Hotfix for this vulnerability is available by contacting Contact Schneider Electric’s Customer Care Center. The Hotfix can be applied to versions EPO 2022, and 2021, the versions currently in support on the date of this disclosure. Previous versions, please contact customer care to inquire about upgrade paths.

Schneider Electric also recommends the following cybersecurity best practices:

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the “Program” mode.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

For further information, see Schnieder Electric’s Security Advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • October 17, 2023: Initial Publication

Highlights content goes here...

Summary

Vulnerability Summary:

The Schneider Electric EcoStruxure Power Monitoring Expert, EcoStruxure Power Operation with Advanced Reports, and EcoStruxure Power SCADA Operation with Advanced Reports have been found to be vulnerable to a deserialization of untrusted data vulnerability (CVE-2023-5391). This vulnerability, with a CVSS v3 base score of 9.8, allows an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.

Risk Evaluation:

The successful exploitation of this vulnerability could allow an attacker to achieve remote code execution, which poses a significant risk to the confidentiality, integrity, and availability of the affected systems.

Technical Details:

The vulnerability affects the following versions of the Schneider Electric products:

EcoStruxure Power Monitoring Expert: All versions prior to Hotfix-145271
 EcoStruxure Power Operation with Advanced Reports: All versions prior to application of Hotfix-145271
EcoStruxure Power SCADA Operation with Advanced Reports: All versions prior to Hotfix-145271

The vulnerability is a deserialization of untrusted data vulnerability (CWE-502) that allows an attacker to execute arbitrary code on the targeted system.

Mitigations:

The affected products can be mitigated by applying the available hotfixes. Schneider Electric recommends the following best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network
Install physical controls to prevent unauthorized access to industrial control and safety systems
 Scan all methods of mobile data exchange with the isolated network before use
Minimize network exposure for all control system devices and systems
 Use secure methods, such as virtual private networks (VPNs), for remote access

Additional Information:

The United States Cybersecurity and Infrastructure Security Agency (CISA) reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage and encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Update History:

The vulnerability was initially published on October 17, 2023.

Cybersecurity and Infrastructure Security Agency

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested
Related Documents
Maintenance of Good Practice Certificate Queries
Date: 4th Feb, 2025 Source: National Health Surveillance Agency (Anvisa) Country: Brazil
News Healthcare & Pharma Guidance
Are your organisation’s edge devices secure?
Date: 5th Feb, 2025 Source: Australian Cyber Security Centre (ACSC) Country: Australia
News Cybersecurity Guidance
How EASA certified Safran’s ENGINeUS 100 electric engine
Date: 4th Feb, 2025 Source: European Union Aviation Safety Agency (EASA) Country: European Union
News Aviation & Aerospace Guidance

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Click here

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
  • Designed for Growing Compliance Teams
$125 / month OR $1250 / year
Features
  • • Coverage for 20 jurisdictions
  • • Monitoring from 500+ regulatory authorities
  • • AI compliance summaries
  • • RaDa.ai : Single-Role
Best for: Researchers, Legal professionals, Academics
Subscribe Now
Enterprise Plan
  • Perfect for Global Enterprises
Contact for Pricing
Features
  • • Custom jurisdictional coverage
  • • Custom monitoring of regulatory authorities
  • • RaDa.ai : Customizable multi-role
  • • Custom reporting and dashboard capabilities
  • • API access for seamless integration
Best for: Law Firms, Corporations, Government Bodies
Contact Sales