Date of Alert: December 12, 2023
Source: Schneider Electric Security Notification, SEVD-2023-346-02
Schneider Electric has issued an urgent security notification regarding a critical vulnerability in its Plant iT/Brewmaxx product, a sophisticated PLC-based process control system integrated with Manufacturing Execution System functionality. This system is widely used in various industrial settings for efficient process control and management.
- Affected Product: Plant iT/Brewmaxx, version 9.60 and above.
- CVE ID: CVE-2022-0543.
- Severity Level: Critical, with a CVSS v3.1 Base Score of 10.0.
- Impact: The vulnerability lies in the Redis open-source database, a component of Plant iT, which is prone to a Lua sandbox escape issue leading to potential remote code execution.
- Nature of Risk: If not addressed, this vulnerability could allow privilege escalation, culminating in remote code execution, posing a significant threat to the integrity and security of industrial control systems.
- Schneider Electric is actively working on a remediation plan for all future versions of Plant iT to address this vulnerability. An update will be released as soon as the remediation plan is finalized.
- In the interim, Schneider Electric advises customers to:
- Install a patch that disables the eval commands in Redis. This patch should be applied to the Application Server, VisuHub, Engineering Workstations, and any Workstation with emergency mode functionality.
- Ensure the usage of secure Redis configuration templates in system settings, as outlined in the patch manual.
- Restart all patched Servers and Workstations to ensure the effectiveness of the patch.
General Security Recommendations:
- Schneider Electric strongly recommends adhering to industry-standard cybersecurity best practices:
- Isolate control and safety system networks from business networks using firewalls.
- Implement physical controls to prevent unauthorized access to industrial control and safety systems.
- Keep controllers in locked cabinets and avoid leaving them in “Program” mode.
- Restrict programming software connectivity to intended networks only.
- Regularly scan all methods of mobile data exchange for threats before use.
- Limit network exposure of control system devices and prevent Internet accessibility.
- Use secure remote access methods, such as updated VPNs, while recognizing their vulnerabilities.
For more detailed information and assistance, users are encouraged to contact their local Schneider Electric representative or visit Schneider Electric’s Industrial Cybersecurity Services website.
Disclaimer: Schneider Electric provides this notification on an “as-is” basis, without warranties, and is not liable for any damages arising from its use. The company reserves the right to update this notification as needed.