Schneider Electric Data Center Expert Advisory

Executive Summary

The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory for the Data Center Expert on October 15^th. The Data Center Expert is an industrial control system (ICS) used for the centralized monitoring and gathering of data from other ICSs produced by Schneider Electric. Two vulnerabilities were identified by an anonymous person working with Trend Micro Zero Day Initiative, which is a bug bounty program run by the cybersecurity company Trend Micro. A patch has been released to mitigate the vulnerabilities with version 8.2 of Data Center Expert. Schneider Electric and CISA also recommend the implementation of additional security controls to reduce the risk of exploitation, especially if the patch cannot be immediately implemented.

Background

The Data Center Expert is a centralized management and monitoring device helping to connect devices and aggregate data so personnel may effectively maintain critical systems.  The ability for the Data Center Expert to generate graphics and reports as well as alarming for critical events from all connected systems makes it an important element to critical systems across a variety of sectors. The device also features integral data storage making it a prime target for threats wanting to exfiltrate or modify a large amount of data from any of the ICSs connected to the device.

Vulnerabilities

The vulnerabilities found on the Data Center Expert are improper verification of cryptographic signature (CVE-2024-8531) and missing authentication for a critical function (CVE-2024-8530).

Normally when cryptographic verification occurs the patch is hashed and compared against the hash provided by the manufacturer to ensure the data has not changed. When improper verification of cryptographic signature occurs an attacker could manufacture a fake patch for the device with additional scripts included which will be executed with root privileges as it does not properly verify the data has not been changed.

Missing authentication for a critical function allows attackers to access a “logcaptures” archive without authenticating. Attackers could potentially modify or steal data archived on the device all while seeming like a legitimate user due to the lack of authentication when accessing the archive directly through HTTPS.

Conclusion

Vulnerabilities like these really show the importance of implementing the best practices to ensure security, especially in an ICS environment where accessibility may be the primary focus instead of security. Although patches from trusted vendors are usually safe, they are not invulnerable to attacks either. Testing patches in a testing environment before implementation to a production environment can save a lot of time and money. When possible, regularly updating devices with the latest patches can help to prevent other security incidents and ensure devices are as secure as possible. When patches cannot be implemented, it is just as important to implement compensating security controls to mitigate the risk presented by the vulnerabilities. If compensating controls also cannot be implemented a process for accepting and documenting the risk from vulnerabilities needs to be in place so the incident response teams can work as effectively as possible if an incident were to occur.

References

Common Weakness Enumeration. (2024). CWE – CWE-306: Missing Authentication for Critical Function. Common Weakness Enumeration. https://cwe.mitre.org/data/definitions/306.html

Common Weakness Enumeration (2024). CWE-347: Improper Verification of Cryptographic Signature. Common Weakness Enumeration. https://cwe.mitre.org/data/definitions/347.html

Cybersecurity & Infrastructure Security Agency. (2024). Schneider Electric Data Center Expert. Cybersecurity & Infrastructure Security Agency. https://www.cisa.gov/news-events/ics-advisories/icsa-24-289-02

Schneider Electric. (n.d.). EcoStruxure IT Data Center Expert. Schneider Electric. https://www.se.com/us/en/product-range/61851-ecostruxure-it-data-center-expert/