zentilia - Fotolia

Schneider Electric patches DCIM software security hole

Users of StrucxureWare datacentre monitoring software urged to upgrade to latest version after discovery of critical vulnerability by security researchers

Schneider Electric has rushed to patch a critical vulnerability in its StrucxureWare datacentre infrastructure management (DCIM) software that risked exposing sensitive support systems data to hackers.

The flaw, uncovered by security researchers at Positive Technologies, could potentially be exploited by hackers to obtain remote access to data found in datacentre support systems connected to Schneider’s StrucxureWare Data Center Expert software suite.

The software is widely used by datacentre operators in the media, banking, health, insurance and manufacturing industries to manage their server farm estates.

The researchers said the flaw could lead to unauthorised third parties recovering unencrypted passwords from RAM on the client side of the platform, the researchers claim.

According to IIya Karpov, head of Positive Technologies’ infrastructure control systems research and audit unit, the flaw had the potential to cause serious harm if it remained unpatched.  

“A hacker could use this flaw to penetrate the internal network at a datacentre, obtain confidential information, or even cause physical harm,” said Karpov.

Particularly, he said, the vulnerability could be used to alter the functionality of a datacentre’s video surveillance, fire suppression, backup generators, UPS systems and cooling technology.

“Datacentre infrastructure management platforms have the ‘keys to the kingdom’ at a datacentre, since they are connected to all installed systems,” Karpov added.

Read more about datacentre security

Schneider has released a security advisory confirming the presence of the flaw in several versions of the software, and recommends users to upgrade to version 7.4.0 to avoid being affected by it.   

At the time of writing, Computer Weekly was awaiting confirmation from Schneider of whether there is any evidence to suggest the flaw may have been exploited in the wild. In the meantime, the company has issued the following statement: “It has been discovered that some passwords are stored in cleartext in random access memory (RAM). We issued a security notification that shares mitigation recommendations.”

News of the flaw comes several months after Schneider’s rapid response to the discovery of a software flaw in its Unity Pro industrial controller management software received praise from another security research group.

Read more on Datacentre disaster recovery and security