Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded-key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a password. This XML file is AES-CBC encrypted; however, the key used for encryption (SoMachineBasicSoMachineBasicSoMa) cannot be changed. After decrypting the XML file with this key, the user password can be found in the decrypted data. After reading the user password, the project can be opened and modified with the Schneider product.
References
Link | Resource |
---|---|
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-097-01 | Vendor Advisory |
http://www.securityfocus.com/bid/97518 | Third Party Advisory VDB Entry |
https://os-s.net/advisories/OSS-2017-02.pdf | Broken Link |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-04-06T21:00:00
Updated: 2017-04-14T04:57:01
Reserved: 2017-04-06T00:00:00
Link: CVE-2017-7574
JSON object: View
NVD Information
Status : Analyzed
Published: 2017-04-06T21:59:00.307
Modified: 2022-02-10T07:22:32.767
Link: CVE-2017-7574
JSON object: View
Redhat Information
No data.
CWE