The vulnerability could allow remote access to unencrypted passwords.
The vulnerability could allow remote access to unencrypted passwords.

Security firm Positive Technologies has discovered a critical vulnerability in Schneider Electric StruxureWare Data Center Expert which is designed to monitor physical infrastructure at data centres.

It is used by banks, media corporations, circuit board manufacturers, insurers, medical centres, and other companies to manage the functioning of everything from cooling to backup generators at data centres.

Use of the vulnerability allows an outsider to obtain remote access to sensitive information found in critical data centre support systems that are connected to StruxureWare Data Center Expert.

An attacker can also recover passwords from RAM on the client side of the platform, where they are held in unencrypted form. The vulnerability is rated 7.6 on the CVSS v3 scale.

"A hacker could use this flaw to penetrate the internal network at a data centre, obtain confidential information, or even cause physical harm," said Ilya Karpov, head of the ICS research and audit unit at Positive Technologies.

Karpov added: "Data centre Infrastructure Management (DCIM) platforms have the 'keys to the kingdom' at a data centre, since they are connected to all installed systems. A vulnerability such as this threatens the functioning of critical systems on which data centres depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling."

Schneider Electric urges updating all installations of StruxureWare Data Center Expert to version 7.4.

In 2013 and 2014 Positive Technologies researchers also uncovered vulnerabilities in Schneider Electric Wonderware Information Server.

At the Positive Hack Days IV international forum, participants in the Critical Infrastructure Attack competition located a number of vulnerabilities in Schneider Electric systems.

In addition, in 2015 Ilya Karpov identified an issue involving unencrypted storage of passwords in InTouch Machine Edition 2014.