Password Hash Insufficient Computational Effort in ClearSCADA and EcoStruxure Geo SCADA
CVE-2021-22741

6.7MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Clearscada (all Versions), Ecostruxure Geo Scada Expert 2019 (all Versions), And Ecostruxure Geo Scada Expert 2020 (v83.7742.1 And Prior)
Vendor: CVE Published:; 26 May 2021

Summary

A vulnerability exists in ClearSCADA and EcoStruxure Geo SCADA Expert products due to the use of password hashes with insufficient computational effort. This flaw can allow attackers to uncover account credentials if they gain access to server database files. Consequently, systems become susceptible to password decryption attacks, making this issue critical for users to address promptly. It is important to note that '.sde' configuration export files do not store user account password hashes.

Affected Version(s)

ClearSCADA (all ), EcoStruxure Geo SCADA Expert 2019 (all ), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior) ClearSCADA,EcoStruxure Geo SCADA Expert 2019 and EcoStruxure Geo SCADA Expert 2020(see security notification for affected versions)

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

x_refsource_MISC

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 26, 2021
Vulnerability Reserved
Jan 6, 2021