SEVD-2023-318-02 Schneider Electric Security Advisory

Schneider Electric addresses security vulnerabilities in their EcoStruxure Power Monitoring Expert (PME), EcoStruxure Power Operation (EPO), and EcoStruxure Power SCADA Operation (PSO) products, specifically in the Advanced Reporting and Dashboards Module. Key takeaways from this document include:

  1. Vulnerabilities Identified:
    • CVE-2023-5986: A high-severity vulnerability (CVSS score 8.2) involving URL Redirection to an untrusted site, which could lead to an open-redirect vulnerability and subsequent cross-site scripting attack.
    • CVE-2023-5987: A medium-severity vulnerability (CVSS score 6.1) related to Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation.
  2. Affected Products and Versions:
    • PME versions 2020 prior to CU3 and 2021 prior to CU2.
    • Advanced Reporting and Dashboards Module for EPO and PSO versions 2020 and 2021 prior to the respective updates.
  3. Remediation Steps:
    • Updates available for PME versions 2020 (CU3) and 2021 (CU2) to fix these vulnerabilities.
    • Users are advised to download and install the latest updates from Schneider Electric’s software center.
  4. General Security Recommendations:
    • Implement industry cybersecurity best practices such as using firewalls, isolating networks, controlling physical access, and ensuring secure remote access.