ICS Advisory

Schneider Electric NMC cards and Embedded Devices

Last Revised
Alert Code
ICSA-21-313-01

1. EXECUTIVE SUMMARY

  • CVSS v3 6.8
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Network Management Cards (NMC) and NMC Embedded Devices
  • Vulnerabilities: Cross-site Scripting, Exposure of Sensitive Information to an Unauthorized Actor

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow data disclosure or cross-site scripting, which could result in an execution of malicious web code or a loss of device functionality.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products are affected, see Schneider Electric’s Security Notification SEVD-2021-313-03 for more details on the affected products:

Uninterruptible Power Supply (UPS) Products

  • 1-Phase Uninterruptible Power Supply (UPS) using NMC2, including Smart-UPS, Symmetra, and Galaxy 3500 with Network Management Card 2 (NMC2): NMC2 AOS v6.9.8 and prior
  • 3-Phase Uninterruptible Power Supply (UPS) using NMC2, including Symmetra PX 250/500 (SYPX) Network Management Card 2 (NMC2): NMC2 AOS v6.9.6 and prior
  • 3-Phase Uninterruptible Power Supply (UPS) using NMC2 including Symmetra PX 48/96/100/160 kW UPS (PX2), Symmetra PX 20/40 kW UPS (SY3P), Gutor (SXW, GVX), and Galaxy (GVMTS, GVMSA, GVXTS, GVXSA, G7K, GFC, G9KCHU): NMC2 AOS v6.9.6 and prior
  • 1-Phase Uninterruptible Power Supply (UPS) using NMC3 including Smart-UPS, Symmetra, and Galaxy 3500 with Network Management Card 3 (NMC3): NMC3 AOS v1.4.2.1 and prior

APC Power Distribution Products

  • APC Rack Power Distribution Units (PDU) using NMC2: NMC2 AOS v6.9.6 and prior
  • APC Rack Power Distribution Units (PDU) using NMC3: NMC3 AOS v1.4.0 and prior
  • APC 3-Phase Power Distribution Products using NMC2: NMC2 AOS v6.9.6 and prior
  • Network Management Card 2 (NMC2) for InfraStruxure 150 kVA PDU with 84 Poles (X84P): NMC2 AOS v6.9.6 and prior
  • Network Management Card 2 for InfraStruxure 40/60kVA PDU (XPDU): NMC2 AOS v6.9.6 and prior
  • Network Management Card 2 for Modular 150/175kVA PDU (XRDP): NMC2 AOS v6.9.6 and prior
  • Network Management Card 2 for 400 and 500 kVA (PMM): NMC2 AOS v6.9.6 and prior
  • Network Management Card 2 for Modular PDU (XRDP2G): NMC2 AOS v6.9.6 and prior
  • Rack Automatic Transfer Switches (ATS): NMC2 AOS v6.9.6 and prior

Environmental Monitoring

  • Environmental Monitoring Unit with embedded NMC2 (NB250) NetBotz NBRK0250: NMC2 AOS v6.9.6 and prior

Cooling Products

  • Network Management Card 2 (NMC2) Cooling Products: NMC2 AOS v6.9.6 and prior

Battery Management Products

  • Network Management Card 2 (NMC2) AP9922 Battery Management System (BM4): NMC2 AOS v6.9.6 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

A vulnerability could cause arbitrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC pointing to a delete policy file.

CVE-2021-22810 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.2.2    IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

A vulnerability could cause script execution when the request of a privileged account accessing the vulnerable web page is intercepted.

CVE-2021-22811 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.2.3    IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

A vulnerability could cause arbitrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC.

CVE-2021-22812 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.2.4    IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

A vulnerability could cause arbitrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC pointing to an edit policy file.

CVE-2021-22813 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.2.5    IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

A vulnerability could cause arbitrary script execution when a malicious file is read and displayed.

CVE-2021-22814 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.2.6    EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

A vulnerability could allow the troubleshooting archive to be accessed.

CVE-2021-22815 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Andrea Palanca of Nozomi Networks and Chua Wei Kiat and Thanh Nguyen of Fortinet's FortiGuard Labs reported these vulnerabilities.

4. MITIGATIONS

Schneider Electric recommends the following:

For the products not listed above, Schneider Electric is in the process of establishing a remediation plan for affected NMC2 and NMC3 offers. This plan will include fixes or mitigations for these vulnerabilities. This document will be updated as remediations become available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:

  • NMC users should not trust links provided from sources that have not been verified as authentic.
  • Ensure the workstation where the browser is being used is secured.
  • If a debug.tar file is generated via Web or CLI, ensure it is deleted after retrieval.

Schneider Electric strongly recommends the following industry cybersecurity best practices.

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Never connect programming software to any network other than the network for the devices that it is intended for.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.



CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.



Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Schneider Electric