This page shows results from the Nessus scan run against StruxureWare Data Center Expert and other relevant security vulnerability information related to the product.
Security scanners may report a warning level issue regarding SSH weak ciphers. These ciphers are enabled to maintain compatibility with certain NMC device firmware.
To get the most recent features and security fixes, update your software to the latest version.
StruxureWare Data Center Expert relevant security vulnerabilities
Data Center Expert allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allow for the arbitrary upload of files contained with the zip onto the server file system outside of the intended directory. This is leveraging the more commonly known ZipSlip vulnerability within Java code.
CVSS 3.0: 6.6
Affected Versions: Data Center Expert versions 7.5.0 and earlier
Update DCE to v7.6.0
|Meltdown CVE-2017-5754 and Spectre (CVE-2017-5753, CVE-2017-5715)|
All versions of StruxureWare Data Center Expert up to and including v7.4.3 are affected.
Customers are advised to upgrade to the latest version of DCE when it is available.
An unprivileged attacker could use this flaw to:
Update DCE to v7.5.0
For more information about these software vulnerabilities, see this Schneider Electric Security Notification .
|CVE-2017-7494||StruxureWare Data Center Expert is not affected.||Security scanners may report this vulnerability due to the Samba-client and Samba-common packages installed on DCE. DCE does not run a Samba server, or export shared folders.|
|Dirty COW (CVE-2016-5195)||All versions of StruxureWare Data Center Expert up to and including v7.4.1 are affected.||A fix is included in StruxureWare Data Center Expert v7.5.0. See APC knowledge base article ID FA300798 for additional information.|
|OpenSSL ( CVE-2016-2108) and related CVEs||All versions of StruxureWare Data Center Expert up to and including v7.3.1 are affected.||A fix available within StruxureWare Data Center Expert versions 7.4.0 and higher.|
|All versions of StruxureWare Data Center Expert up to and including v7.3.1 are affected.|
A hot fix is available for StruxureWare Data Center Expert v7.3.1 ONLY.
Any other version must be upgraded to v7.3.1 before this hot fix can be applied.
You must call Technical Support to get the hot fix for your StruxureWare Data Center Expert v7.3.1 server.
|StruxureWare Data Center Expert v7.2.7 is not affected by the Zero Day vulnerability.||StruxureWare Data Center Expert v7.2.7 uses Linux Kernel 2.6.x, older than the 3.8 and higher kernels affected.|
|Logjam (CVE-2015-4000)||StruxureWare Data Center Expert v7.2.7 is not affected by the Logjam vulnerability.||StruxureWare Data Center Expert v7.2.7 does not allow connections using any Diffie-Hellman or export grade ciphers.|
StruxureWare Data Center Expert is affected.
A manual update is available for DCE v7.2.6 servers only.
You must call technical support to update your DCE v7.2.6 server.
This update can be applied to DCE v7.2.6 ONLY. Earlier DCE versions must be updated to v7.2.6 before applying the update.
Note: The next release of DCE will address this issue.
|Heartbleed (OpenSSL)||StruxureWare Data Center Expert is not affected by the Heartbleed vulnerability.||http://www2.schneider-electric.com/support/index?page=content&country=APS_GLOBAL&lang=FR&id=FA228282|