The Cybersecurity and Infrastructure Security Agency of the USA (Cybersecurity and Infrastructure Security Agency, CISA) last week published a security notice for the automated process control system regarding a number of vulnerabilities in Schneider Electric Easergy medium voltage relay protection devices.
According to the notification, the successful exploitation of vulnerabilities may lead to the disclosure of credentials for accessing the device, cause a denial of service or reboot of the device, or allow an attacker to gain full control of the device, which may compromise the security of the power grid.
Two highly dangerous vulnerabilities affect versions Easergy P3 up to 30.205 and Easergy P5 up to 01.401.101.
CVE-2022-22722 (CVSS score 7.5 out of 10) – the use of embedded credentials that can be used to view and manipulate device traffic.
CVE-2022-22723 and CVE-2022-22725 (CVSS score of 8.8 out of 10) – buffer overflow, which can lead to an emergency shutdown of programs or the execution of arbitrary code by sending specially configured packets to the device over the network.
Schneider Electric fixed the vulnerabilities on January 11, 2022.