SEVD-2023-318-01 | Schneider Electric Security Notification

Vulnerabilities in Schneider Electric’s PowerLogic ION8650 and ION8800 products. These products are used for monitoring utility electrical networks. The vulnerabilities, if not mitigated, could allow an attacker with administrative privileges to install compromised firmware on the device, leading to altered device behavior, or to modify webpages in a way that exposes viewers to cross-site scripting attacks.

The vulnerabilities identified are:

  1. CVE-2023-5984: This is a high-severity vulnerability (CVSS v3.1 Base Score of 7.2) involving a CWE-494 Download of Code Without Integrity Check. It allows an authorized admin user to upload modified firmware during a firmware update, potentially leading to full control over the device.
  2. CVE-2023-5985: This medium-severity vulnerability (CVSS v3.1 Base Score of 4.8) is a CWE-79 Improper Neutralization of Input During Web Page Generation. It can compromise a user’s browser when an attacker with admin privileges modifies system values.

Mitigations recommended include:

  • Ensuring firmware is downloaded from official Schneider Electric links.
  • Keeping device firmware up to date and disabling the web service if not required.
  • Implementing general cybersecurity best practices like using firewalls, physical controls, secure remote access methods, and minimizing network exposure.

Customers are advised to contact Schneider Electric’s customer care center for assistance and subscribe to their security notification service for updates. The document also includes a disclaimer about the information provided and encourages customers to apply the CVSS Environmental metrics specific to their organizations.