Lucene search

SchneiderCVE-2021-22741

HistoryMay 26, 2021 - 8:15 p.m.

CVE-2021-22741

2021-05-2620:15:09

CWE-916

schneider

web.nvd.nist.gov

cve-2021-22741

clearscada

ecostruxure geo scada expert

vulnerability

password hash

insufficient computational effort

server database files

account credentials

decryption attacks

nvd

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

17.1%

JSON

Use of Password Hash with Insufficient Computational Effort vulnerability exists in ClearSCADA (all versions), EcoStruxure Geo SCADA Expert 2019 (all versions), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior), which could cause the revealing of account credentials when server database files are available. Exposure of these files to an attacker can make the system vulnerable to password decryption attacks. Note that “.sde” configuration export files do not contain user account password hashes.

Affected configurations

Nvd

Node

schneider-electricclearscada

schneider-electricecostruxure_geo_scada_expert_2019

schneider-electricecostruxure_geo_scada_expert_2020Range≤83.7742.1

VendorProductVersionCPE
schneider-electricclearscada*cpe:2.3:a:schneider-electric:clearscada:*:*:*:*:*:*:*:*
schneider-electricecostruxure_geo_scada_expert_2019*cpe:2.3:a:schneider-electric:ecostruxure_geo_scada_expert_2019:*:*:*:*:*:*:*:*
schneider-electricecostruxure_geo_scada_expert_2020*cpe:2.3:a:schneider-electric:ecostruxure_geo_scada_expert_2020:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
schneider-electric	clearscada	*	cpe:2.3:a:schneider-electric:clearscada::::::::
schneider-electric	ecostruxure_geo_scada_expert_2019	*	cpe:2.3:a:schneider-electric:ecostruxure_geo_scada_expert_2019::::::::
schneider-electric	ecostruxure_geo_scada_expert_2020	*	cpe:2.3:a:schneider-electric:ecostruxure_geo_scada_expert_2020::::::::

CNA Affected

[
  {
    "product": "ClearSCADA (all versions), EcoStruxure Geo SCADA Expert 2019 (all versions), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior)",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "ClearSCADA,EcoStruxure Geo SCADA Expert 2019 and EcoStruxure Geo SCADA Expert 2020(see security notification for affected versions)"
      }
    ]
  }
]

References

download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-07

Social References

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

17.1%

JSON

Related for CVE-2021-22741