Article info

Follow
Was this article helpful?
3 out of 6 found this helpful

In this article

    Software Vulnerability Scan(s) Data Center Expert

    This page shows results from the Nessus scan run against Data Center Expert and other relevant security vulnerability information related to the product.

    Security scanners may report a warning level issue regarding SSH weak ciphers. These ciphers are enabled to maintain compatibility with certain NMC device firmware. 

    To get the most recent features and security fixes, update your software to the latest version.

    Schneider Electric Vulnerability Management Policy

    Data Center Expert relevant security vulnerabilities

    Vulnerability

    Answer

    Comments

    Fallout CVE-2018-12126

    CVE-2018-12127

    ZombieLoad CVE-2018-12130

    CVE-2019-11091

    		 Microarchitectural Data Sampling (MDS) security issues could let an attacker execute code or extract sensitive data that are otherwise protected by the Intel processors’ architectural mechanisms.  

    CVE-2018-12126 — Microarchitectural Store Buffer Data Sampling (Fallout)

    CVE-2018-12127 — Microarchitectural Load Port Data Sampling

    CVE-2018-12130 — Microarchitectural Fill Buffer Data Sampling (ZombieLoad)

    CVE-2019-11091 — Microarchitectural Data Sampling Uncacheable Memory

    		 Update DCE to v7.7.0
    ZipSlip CVE-2018-7807

    Data Center Expert allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allow for the arbitrary upload of files contained with the zip onto the server file system outside of the intended directory. This is leveraging the more commonly known ZipSlip vulnerability within Java code.

    CVSS 3.0: 6.6

    Vector: AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

    Affected Versions: Data Center Expert versions 7.5.0 and earlier

    Update DCE to v7.6.0
    Meltdown CVE-2017-5754 and Spectre (CVE-2017-5753, CVE-2017-5715)

    All versions of Data Center Expert up to and including v7.4.3 are affected.

    Customers are advised to upgrade to the latest version of DCE when it is available.

    An unprivileged attacker could use this flaw to:

    • Cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks.
    • Read privileged (kernel space) memory by conducting targeted cache side-channel attacks.
    • Use guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.

    Update DCE to v7.5.0

    For more information about these software vulnerabilities, see this Schneider Electric Security Notification.
    CVE-2017-7494 Data Center Expert  is not affected. Security scanners may report this vulnerability due to the Samba-client and Samba-common packages installed on DCE. DCE does not run a Samba server, or export shared folders.
    Dirty COW (CVE-2016-5195) All versions of Data Center Expert up to and including v7.4.1 are affected. A fix is included in Data Center Expert v7.5.0. See APC knowledge base article ID FA300798 for additional information.
    OpenSSL (CVE-2016-2108) and related CVEs All versions of Data Center Expert up to and including v7.3.1 are affected. A fix available within Data Center Expert versions 7.4.0 and higher.

    GLibc

    (CVE-2015-7547)

    		 All versions of Data Center Expert up to and including v7.3.1 are affected.

    A hot fix is available for Data Center Expert v7.3.1 ONLY.

    Any other version must be upgraded to v7.3.1 before this hot fix can be applied.

    You must call Technical Support to get the hot fix for your Data Center Expert v7.3.1 server.

    Zero Day

    (CVE-2016-0728)

    		 Data Center Expert v7.2.7 is not affected by the Zero Day vulnerability. Data Center Expert v7.2.7 uses Linux Kernel 2.6.x, older than the 3.8 and higher kernels affected.
    Logjam (CVE-2015-4000) Data Center Expert v7.2.7 is not affected by the Logjam vulnerability. Data Center Expert v7.2.7 does not allow connections using any Diffie-Hellman or export grade ciphers.
    GHOST (CVE-2015-0235)

    Data Center Expert is affected.

    A manual update is available for DCE v7.2.6 servers only.

    You must call technical support to update your DCE v7.2.6 server.

    This update can be applied to DCE v7.2.6 ONLY. Earlier DCE versions must be updated to v7.2.6 before applying the update.

    Note: The next release of DCE will address this issue.
    Heartbleed (OpenSSL) Data Center Expert is not affected by the Heartbleed vulnerability. http://www2.schneider-electric.com/support/index?page=content&country=APS_GLOBAL&lang=FR&id=FA228282

    0 comments

    Please sign in to leave a comment.