Weak default credentials, command injection bug found in building operation software

A vulnerability in servers programmed with Schneider Electric’s StruxureWare Building Operation software can be exploited by a low-skilled, remote attacker to gain access to the servers and make changes that could affect a building’s security.

What’s more, the software was also shipped with weak default user credentials that administrators weren’t required to change when setting up the system.

StruxureWare Building Operation software provides integrated monitoring, control and management of energy, HVAC, lighting and fire safety.

“Impact to individual organizations depends on many factors that are unique to each organization,” ICS-CERT has warned on Wednesday. “NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”

The flaws can be found in Automation Server series (AS, AS-P) V1.7 and prior, and the Paris-based Schneider Electric has already released a new version of the server software.

“The user is no longer allowed to operate the system with default credentials and the minimal “msh” shell can no longer be circumvented,” the company noted in a security advisory published back in January.

Users are urged get the firmware update through their authorized service channel.

This is not the first vulnerability in a building automation system that has ever been found and it will certainly won’t be the last.

The IBM X-Force Ethical Hacking Team has recently published the results of their successful attempts to hack a building automation system, and their findings are depressing: basic hacking techniques were enough to perform this type of attack, and they were surprised about the number of security issues they encountered and were able to exploit: software security vulnerabilities, poor password practices, exposed router administration ports, and so on.