Schneider Patches Plaintext Credentials Bug in Building Automation System

Schneider Electric has published new firmware for its StruxureWare Building Expert building automation system that patches a remotely exploitable vulnerability.

Industrial control manufacturer Schneider Electric has published new firmware for its StruxureWare Building Expert building automation system that patches a remotely exploitable vulnerability.

Researcher Artyom Kurbatov discovered that the system transmits user credentials in plaintext between the server and client machines. An advisory from the Industrial Control System Cyber Emergency Response Team (ICS-CERT) said that the vulnerability has not been publicly exploited.

“A successful exploit will allow the attacker to obtain user credentials,” Schneider said in its advisory.

Schneider Electric said the building automation system is used worldwide, and mostly in commercial facilities. StruxureWare Building Expert is described as a multipurpose management device that monitors HVAC, lighting and metering systems, primarily to keep energy costs in check. Versions prior to 2.15 are affected, ICS-CERT said, adding that the vulnerability has been assigned a CVSS score of 10.0.

Managers are urged to upgrade the MPM to 2.15 or higher.

Schneider Electric has been busy patching security issues as summer winds down. On Sept. 3, it released an advisory that said a number of vulnerabilities in its Modicon M340 PLC Station P34 were patched. The vulnerabilities were reported by researcher Juan Francisco Bolivar and publicly disclosed in a presentation at DEF CON by independent researcher Aditya K. Sood, who also reported them in July.

Modicon products BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, and BMXP342030H were affected by the vulnerabilities that could have forced a browser to redirect to a remote file or execute JavaScript stored remotely.

Suggested articles