Important Security Notification for PSE, PME, and Power Manager
Issue
Schneider Electric has become aware of a vulnerability in the licensing brick of Power Monitoring Expert, Power Manager, and PowerSCADA Expert.
This vulnerability could allow a remote, unauthenticated attacker to potentially execute arbitrary code on the server.
Product Line
Power Monitoring Expert 8.1
Power Monitoring Expert 8.0
Power Monitoring Expert 7.2.x
Power Manager 1.x
PowerSCADA Expert 8.1
PowerSCADA Expert 8.0 SR1
PowerSCADA Expert 7.40
PowerSCADA Expert 7.30
PowerSCADA Anywhere
Environment
Flexera Software FlexNet Publisher
Cause
Flexera Software FlexNet Publisher is a software license manager that is part of the Power Monitoring Expert, Power Manager, and PowerSCADA Expert licensing brick.
Flexera Software reported a vulnerability to its Flexera FlexNet Publisher, CVE-2016-6273.
This vulnerability could permit a remote attacker to cause a denial of service.
CVSS scores are a standard way of ranking vulnerabilities and are provided for reference, they should be adapted by individual users as required.
Overall CVSS v3 Base Score: 7.5 High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H multiple buffer overflows in (1) lmgrd and (2) Vendor Daemon in Flexera FlexNet Publisher before 11.13.1.2 Security Update 1 allow remote attackers to execute arbitrary code via a crafted packet with opcode (a) 0x107 or (b) 0x10a.
Resolution Mitigation
To exploit this issue, an attacker would need network access to the Power Monitoring Expert, Power Manager, or PowerSCADA Expert server.
New customers: Schneider Electric has re-released the Power Monitoring Expert 8.1 (all editions), Power Manager 1.2, and PowerSCADA Expert 8.1 installers (ISO).
Existing customers: Schneider Electric strongly recommends that existing customers upgrade their systems as soon as possible. The following provides links to instructions for addressing software that is at potential risk to this vulnerability:
Power Monitoring Expert 8.1: Apply the latest security update, available in the following location: https://schneider-electric.box.com/s/ggjl3u201rqfxol9bx15q5ia02ie0aoq
Power Monitoring Expert 8.0: Upgrade to the latest release of Power Monitoring Expert 8.1. Available here: http://www.schneider-electric.us/en/faqs/FA328586
Power Monitoring Expert 7.2.x: A security hotfix is available for Power Monitoring Expert 7.2.2. Upgrade to 7.2.2 version if required and then apply the hotfix available here: https://schneider-electric.box.com/s/cyf9tgvj0ryiai09rdk2l85xa6inxbkm
Power Manager 1.2: Apply the latest security update, available in the following location: https://schneider-electric.box.com/s/zngdr7hudc4a5dwx8842e7josnde5vb8
Power Manager 1.0 and 1.1: Upgrade to the latest re-released version of Power Manager. Installer can be found here: https://schneider-electric.box.com/s/08s5vvq9l4us57r3v5ykbsh00wivf721
PowerSCADA Expert 8.1, PowerSCADA Expert 8.0 SR1 and / or PowerSCADA Anywhere: Apply the latest security update, available in the following location: https://schneider-electric.box.com/s/sqrpz5cl6965q2coxh4ommtv5ui6llyu
PowerSCADA Expert 8.0, 7.40, 7.30: The Flexera Software FlexNet components were not used in these versions of PowerSCADA Expert.
However, as a precaution, we recommend that users uninstall Floating License Manager and License Manager (from Add/Remove Programs), if they have been installed.
For More Information
This document is intended to provide an overview of the identified vulnerability and actions required for mitigation.
To obtain full details and assistance on how to protect your installation, please contact your local Schneider Electric representative.
Your representative will be fully aware of the situation and can support you through the process.
For further information on vulnerabilities in Schneider Electric products, please visit the Schneider Electric cyber security web page at: http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cybersecurity.page
Sign up for all the latest solutions, offers and best practices straight to your inbox.
All done!
Thank you for subscribing to updates from Schneider Electric.
We are excited that you have joined the group. You will receive your welcome email soon describing the program and what to expect in the upcoming weeks. Enjoy!