Vulnerabilities > CVE-2021-22741 - Use of Password Hash With Insufficient Computational Effort vulnerability in Schneider-Electric products

CVSS 6.7 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

schneider-electric

CWE-916

NVD

Published: 2021-05-26

Updated: 2021-06-07

Summary

Use of Password Hash with Insufficient Computational Effort vulnerability exists in ClearSCADA (all versions), EcoStruxure Geo SCADA Expert 2019 (all versions), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior), which could cause the revealing of account credentials when server database files are available. Exposure of these files to an attacker can make the system vulnerable to password decryption attacks. Note that “.sde” configuration export files do not contain user account password hashes.

Vulnerable Configurations

Part	Description	Count
Application	Schneider-Electric Schneider Electric Ecostruxure GEO Scada Expert 2019 * Schneider Electric Ecostruxure GEO Scada Expert 2020 - Schneider Electric Ecostruxure GEO Scada Expert 2020 83.7551.1 Schneider Electric Ecostruxure GEO Scada Expert 2020 83.7578.1 Schneider Electric Ecostruxure GEO Scada Expert 2020 83.7613.1 Schneider Electric Ecostruxure GEO Scada Expert 2020 83.7641.1 Schneider Electric Ecostruxure GEO Scada Expert 2020 83.7692.1 Schneider Electric Ecostruxure GEO Scada Expert 2020 83.7717.1 Schneider Electric Ecostruxure GEO Scada Expert 2020 83.7742.1 Schneider Electric Clearscada *	10

Common Weakness Enumeration (CWE)

CWE-916 - Use of Password Hash With Insufficient Computational Effort

References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-07