A critical vulnerability has been discovered in a Schneider Electric product designed to monitor physical infrastructure at data centres.
StruxureWare Data Center Expert is used by banks, media corporations, circuit board manufacturers, insurers, medical centres, and other companies to manage the functioning of everything from cooling to backup generators at data centres.
Use of the vulnerability, discovered by security firm Positive Technologies, allows an outsider to obtain remote access to sensitive information found in critical data centre support systems that are connected to the software.
An attacker can also recover passwords from RAM on the client side of the platform, where they are held in unencrypted form. The vulnerability is rated 7.6 on the CVSS v3 scale.
“A hacker could use this flaw to penetrate the internal network at a data centre, obtain confidential information, or even cause physical harm,” said Ilya Karpov, head of the ICS research and audit unit at Positive Technologies.
“Data centre infrastructure management platforms have the ‘keys to the kingdom’ at a data centre, since they are connected to all installed systems.
“A vulnerability such as this threatens the functioning of critical systems on which data centres depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling.”
The vulnerability exists in StruxureWare Data Center Expert 18.104.22.168 and 7.2.4 and earlier versions.
Schneider Electric urged its customers to update all installations of StruxureWare Data Center Expert to version 7.4, which has been patched against the vulnerability.
In 2013 and 2014 Positive Technologies researchers also uncovered vulnerabilities in Schneider Electric’s Wonderware Information Server.