Schneider Electric patches DCIM software security hole

Schneider Electric has rushed to patch a critical vulnerability in its StrucxureWare datacentre infrastructure management (DCIM) software that risked exposing sensitive support systems data to hackers.

Download this free guide

Computer Weekly's buyer's guide to GDPR compliance

This 12 page buyer's guide gives you the tools you need to get up to scratch with GDPR compliance and to understand the mythology surrounding the new rules.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

The flaw, uncovered by security researchers at Positive Technologies, could potentially be exploited by hackers to obtain remote access to data found in datacentre support systems connected to Schneider’s StrucxureWare Data Center Expert software suite.

The software is widely used by datacentre operators in the media, banking, health, insurance and manufacturing industries to manage their server farm estates.

The researchers said the flaw could lead to unauthorised third parties recovering unencrypted passwords from RAM on the client side of the platform, the researchers claim.

According to IIya Karpov, head of Positive Technologies’ infrastructure control systems research and audit unit, the flaw had the potential to cause serious harm if it remained unpatched.  

“A hacker could use this flaw to penetrate the internal network at a datacentre, obtain confidential information, or even cause physical harm,” said Karpov.

Particularly, he said, the vulnerability could be used to alter the functionality of a datacentre’s video surveillance, fire suppression, backup generators, UPS systems and cooling technology.

“Datacentre infrastructure management platforms have the ‘keys to the kingdom’ at a datacentre, since they are connected to all installed systems,” Karpov added.

Schneider has released a security advisory confirming the presence of the flaw in several versions of the software, and recommends users to upgrade to version 7.4.0 to avoid being affected by it.   

At the time of writing, Computer Weekly was awaiting confirmation from Schneider of whether there is any evidence to suggest the flaw may have been exploited in the wild. In the meantime, the company has issued the following statement: “It has been discovered that some passwords are stored in cleartext in random access memory (RAM). We issued a security notification that shares mitigation recommendations.”

News of the flaw comes several months after Schneider’s rapid response to the discovery of a software flaw in its Unity Pro industrial controller management software received praise from another security research group.