Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands.
The following versions of CNM, ethernet network management software, are affected:
The affected product has an issue with privilege management, which could cause an arbitrary command execution when the software is configured with specially crafted event actions.
CVE-2021-22801 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
David Yesland, working with Trend Micro’s Zero Day Initiative, reported this vulnerability to CISA.
Schneider Electric recommends users protect their installation with the following:
**STEP 1:**Download and run the CNM Alarms Disabler Tool.
**Usage:**Place the disabler tool and the .cxn project file in the same directory. In a shell prompt, and in the chosen directory, execute the following command:
Important: The converter secures and modifies the CNM database and stores it in a new project file. Before a database coming from an untrusted source is loaded into CNM, users must run the converter. Note the original database is not modified. Therefore, if the original database needs to be loaded once more, it must be converted first.
**STEP 2:**Set up the “Edit Password” in the CNM software. The “Edit Mode” is enabled by default. Users must activate the edit protection by switching to “Run mode” before exiting the application. Please refer to the chapter “Edit Mode” of the CNM user manual (packaged in the .iso file).
Schneider Electric also recommends users should use appropriate patching methodologies when applying these patches to their systems. We strongly recommend the use of back-ups and evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure. Contact Schneider Electric’s Customer Care Center if you need assistance removing a patch.
If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:
For more information see Schneider Electric’s security notification: SEVD-2021-285-02
CISA recommends users take the following measures to protect themselves from social engineering attacks:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.
Contact Information
For any questions related to this report, please contact the CISA at:
Email: [email protected]
Toll Free: 1-888-282-0870
For industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics
or incident reporting: https://us-cert.cisa.gov/report
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts.
We recently updated our anonymous product survey; we’d welcome your feedback.
twitter.com/icscert
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22801
www.addthis.com/bookmark.php?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsa-21-287-01-0
cwe.mitre.org/data/definitions/269.html
download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-285-02
twitter.com/share?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsa-21-287-01-0
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics/recommended-practices
us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B
us-cert.cisa.gov/ncas/tips/ST04-014
us-cert.cisa.gov/sites/default/files/publications/emailscams_0905.pdf
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/
www.dhs.gov/freedom-information-act-foia
www.dhs.gov/homeland-security-no-fear-act-reporting
www.dhs.gov/plain-writing-dhs
www.dhs.gov/plug-information
www.dhs.gov/privacy-policy
www.facebook.com/sharer.php?u=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsa-21-287-01-0
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.oig.dhs.gov/
www.se.com/us/en/download/document/CNM_Alarms_Disabler_Tool/
www.se.com/ww/en/product-range/61527-connexium-network-manager/#software-and-firmware
www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-287-01-0
www.usa.gov/
www.whitehouse.gov/