{}

Nos marques

{"support":{"yesButton":"Oui","noButton":"Non","feedback":{"title":"Quelles améliorations pouvons-nous apporter ?"},"submitButton":"Soumettre","successMessage":"Merci de nous avoir fait part de vos commentaires.","title":"Cela vous a-t-il été utile ?","feedbackPercentLabel":"personnes ont trouvé cela utile","captcha":{"error":"Veuillez cocher la case appropriée."}}}

Consulter notre FAQ

{"searchBar":{"inputPlaceholder":"Rechercher par mot-clé ou poser une question","searchBtn":"Rechercher","error":"Veuillez saisir un mot-clé pour effectuer une recherche"}}

Is StruxureWare DCE or NetBotz vulnerable to CVE-2017-7494 (Samba related vulnerability)?


Issue:
Are StruxureWare DCE or NetBotz vulnerable to CVE-2017-7494 (Samba related vulnerability)?

Product Line
StruxureWare Data Center Expert (DCE)
- Basic Appliance (AP9465)
- Standard Appliance (AP9470)
- Enterprise Appliance (AP9475)
- Virtual Appliance (AP94VMACT)
StruxureWare Central (SWC)
InfraStruXure Central (ISXC)


Environment
StruxureWare Data Center Expert (all versions)
StruxureWare Central (all versions)
InfraStruXure Central (all versions)

Cause:
Schneider Electric has become aware of a critical vulnerability in the daemon that offers file sharing capabilities in Samba. Samba is a suite of tools that helps in the interoperability between UNIX with Microsoft Windows allowing Linux, Mac and FreeBSD users to set up and share folders on Windows computers using the server message block (SMB) protocol. Experts say the vulnerability can be exploited with just one line of code and has the potential to spread quickly. Samba versions 3.5 (released March 1, 2010) and onwards are impacted.

The vulnerability allows an attacker to open a SMB share (TCP/445), upload a shared library to the writable share, and then cause the server to load and execute it.

CVE ID: CVE-2017-7494: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494

Samba Disclosure: https://www.samba.org/samba/security/CVE-2017-7494.html


Resolution:

NetBotz 4.X is not vulnerable to this issue because an unaffected version of Samba is used.

StruxureWare DCE v7.X runs on Linux but does not export SMB shares, so it is not vulnerable.  Since the Linux OS has samba packages installed that are necessary for client services, security scanners may continue to alert on the presence of CVE-2017-7494.  The next release of DCE v7.X available later in 2017 will include the latest patched libraries.

Cyber Security is an important element of Schneider Electrics' commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered.
En savoir plus
En savoir plus

Vous ne trouvez pas ce que vous recherchez ?

Contactez notre service client local si vous avez des questions ou si vous avez besoin de plus de détails ou d'une assistance technique.