Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded-key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a password. This XML file is AES-CBC encrypted; however, the key used for encryption (SoMachineBasicSoMachineBasicSoMa) cannot be changed. After decrypting the XML file with this key, the user password can be found in the decrypted data. After reading the user password, the project can be opened and modified with the Schneider product.
References
Link | Resource |
---|---|
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-097-01 | Vendor Advisory |
http://www.securityfocus.com/bid/97518 | Third Party Advisory VDB Entry |
https://os-s.net/advisories/OSS-2017-02.pdf | Broken Link |
Configurations
History
10 Feb 2022, 07:22
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-097-01 - Vendor Advisory | |
References | (MISC) https://os-s.net/advisories/OSS-2017-02.pdf - Broken Link |
31 Jan 2022, 19:43
Type | Values Removed | Values Added |
---|---|---|
First Time |
Schneider-electric somachine
|
|
CPE | cpe:2.3:a:schneider-electric:somachine:1.4:sp1:*:*:*:*:*:* |
23 Aug 2021, 17:30
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:se:somachine:1.4:sp1:*:*:*:*:*:* |
Information
Published : 2017-04-06 21:59
Updated : 2023-12-10 12:01
NVD link : CVE-2017-7574
Mitre link : CVE-2017-7574
CVE.ORG link : CVE-2017-7574
JSON object : View
Products Affected
schneider-electric
- modicon_tm221ce16r
- somachine
- modicon_tm221ce16r_firmware
CWE
CWE-798
Use of Hard-coded Credentials