Technical FAQs

Ask a Question

Are StruxureWare DCE or NetBotz products vulnerable to Stack Clash (CVE-2017-1000364 and related IDs)?

 

Issue:
 
Are StruxureWare DCE or NetBotz vulnerable to "Stack Clash" (CVE-2017-1000364 and related IDs)? 
 
Product Line:
 
  • StruxureWare Data Center Expert (DCE)
  • NetBotz
 
 
Environment:
 
  • StruxureWare DCE v7.X
  • NetBotz (botzware) v4.X
 
Cause:
 
Schneider Electric has become aware of a vulnerability in the memory management of several operating systems referred to as the Stack Clash. It affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64. Qualys researchers discovered this vulnerability and developed seven exploits and seven proofs of concept for this weakness, then worked closely with vendors to develop patches.
 
Qualys blog: https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash 

Primary CVE ID: CVE-2017-1000364 | Related CVE IDs: CVE-2017-1000365CVE-2017-1000367
 
 
Resolution:
 
  • NetBotz 4.X is not vulnerable to this issue because NetBotz doesn’t use glibc and it also doesn’t use a kernel that is vulnerable.
 
  • StruxureWare DCE v7.X is “vulnerable”, as it would show in security scans. However, to exploit the vulnerability, an individual needs local system access and DCE does not provide local unprivileged user shell access. This means there is nothing to exploit. Since the Linux OS has affected packages installed that are part of the overall OS, security scanners may continue to alert on the presence of associated CVE IDs. The next release of DCE v7.X available later in 2017 will include the latest patched libraries. 

Cyber Security is an important element of Schneider Electrics' commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered.
 
Was this helpful?
What can we do to improve the information ?