Schneider Electric Authenticated Communication Risk Vulnerability

CVEs (1)

Remediations

• Schneider Electric has produced a customer notificationSchneider Electric Customer Notification, (http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2013/01/20130109_advisory_of_vulnerability_affecting_schneider_electric_s_software_upda.xml). that contains mitigations to resolve this vulnerability. According to Schneider Electric, in order to resolve the vulnerability with the software server, Schneider Electric has taken the following actions: The SESU server has been updated to the latest version. Currently, both HTTP and HTTPS are supported in parallel. HTTPS does ensure signed communication. The new SESU client has been updated as of January 2013 to use HTTPS instead of HTTP. The new version of the SESU Client will be made available to customers for distribution via the SESU mechanism in January 2013. Customers can also use an updated software product CD that will contain the updated SESU client, when the CD becomes available. Contact your local support desk for details. While both HTTP and HTTPS SESU client functionality is supported currently, several months after starting to update the SESU clients (May 2013) the HTTP port of the SESU server will be disabled. This means that only HTTPS will be supported during SESU client updates from that time forward, which mitigates this current vulnerability.

Affected Vendors

Affected Products (18)