Schneider Electric EcoStruxure

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 5.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: EcoStruxure Power Monitoring Expert, EcoStruxure Power Operation, EcoStruxure Power SCADA Operation 2020
• Vulnerability: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to tamper with folder names within the context of the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) 2021: All versions prior to 2021 CU1
• Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) 2020: All versions prior to 2020 CU3
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2022: All versions prior to 2022 CU4
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module: All versions prior to 2022 CU4
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2021: All versions prior to 2021 CU3 Hotfix 2
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Module: All versions prior to 2021 CU3 Hotfix 2
• Schneider Electric EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting') vulnerability exists when an authenticated attacker modifies folder names within the context of the product.

CVE-2024-8401 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported this vulnerability to CISA.

CVE-2024-8401:
McKade Umbenhower of Sandia National Labs reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) 2021 CU1 and prior: EcoStruxure™ Power Monitoring Expert 2021 CU2 includes a fix for this vulnerability and is available for download here: https://ecoxpert.se.com/software-center/power-monitoringexpert/ power-monitoring-expert-2021 OR EcoStruxure™ Power Monitoring Expert 2022 includes a fix for this vulnerability and is available for download here: https://ecoxpert.se.com/software-center/power-monitoringexpert/ power-monitoring-expert-2022 OR Upgrade to the latest version of EcoStruxure™ Power Monitoring Expert. Contact the customer care center for more information.
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2022 CU4 and prior, Schneider Electric EcoStruxure™ Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module 2022 CU4 and prior: EcoStruxure™ Power Operations 2022 CU5 includes a fix for this vulnerability and is available for download here: https://community.se.com/t5/EcoStruxure-Power-Operation/v2022- Release-amp-Updates-Install-Procedure/m-p/416561/thread-id/6058 OR Upgrade to latest version of EcoStruxure™ Power Operations. Contact the customer care center for more information. Additionally, EcoStruxure™ Power operation 2022 with Advanced Reporting utilizes EcoStruxure™ Power Monitoring Expert. You will need to update the version of EcoStruxure™ Power Monitoring Expert installed independently of the EcoStruxure™ Power Operation patch level installed and apply the appropriate EcoStruxure™ Power Monitoring Expert update as outlined above. For assistance in determining the version of PME installed, contact the Schneider Electric Customer Care Center.
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2021 CU3 Hotfix 2 and prior, Schneider Electric EcoStruxure™ Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Module 2021 CU3 Hotfix 2 and prior: EcoStruxure™ Power Operations 2021 CU3 Hotfix 3 includes a fix for this vulnerability and is available for download here: https://community.se.com/t5/EcoStruxure-Power-Operation/v2022- Release-amp-Updates-Install-Procedure/m-p/416561/thread-id/6058 OR Upgrade to latest version of EcoStruxure™ Power Operations. Contact the customer care center for more information. Additionally, EcoStruxure™ Power Operation 2021 with Advanced Reporting utilizes EcoStruxure™ Power Monitoring Expert. You will need to update the version of EcoStruxure™ Power Monitoring Expert installed independently of the EcoStruxure™ Power Operation patch level installed and apply the appropriate EcoStruxure™ Power Monitoring Expert update as outlined above. For assistance in determining the version of PME installed, contact the Schneider Electric Customer Care Center.
• Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) 2020 CU3 and prior: EcoStruxure™ Power Monitoring Expert 2020 is at its end-of-life support. Users should consider upgrading to the latest version offering of PME to resolve this issue. Please contact Schneider Electric Customer Care Center for more details.
• Schneider Electric EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module All Versions: EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module is at its end-of-life support. Users should consider upgrading to the latest version offering of EPO to resolve this issue. Please contact Schneider Electric Customer Care Center for more details.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 14, 2025: Initial Publication

• Schneider Electric