Analysis Summary
# Vulnerability: Information Leak from Schneider Electric Project Files (KLCERT-21-007)
## CVE Details
- CVE ID: CVE-2021-22782
- CVSS Score: 0.0 (None - Note: The provided CVSS vector `AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` suggests a High Confidentiality impact with Local Attack Vector, but the reported score is 0.0. Assuming the vector is more indicative of the potential, but reporting the listed score.)
- CWE: Information Exposure (Inferred from description)
## Affected Systems
- Products:
- Schneider Electric EcoStruxure™ Control Expert (including former Unity Pro)
- Schneider Electric EcoStruxure™ Process Expert (including former EcoStruxure™ Hybrid DCS)
- Schneider Electric SCADAPack RemoteConnect™ for x70
- Versions:
- EcoStruxure Control Expert/Unity Pro: all versions prior to V15.0 SP1
- EcoStruxure Process Expert/Hybrid DCS: all versions prior to V2021
- SCADAPack RemoteConnect for x70: all versions
## Vulnerability Description
This vulnerability is an information leak issue stemming from project files used within the affected Schneider Electric engineering software. Successful exploitation allows an attacker to read sensitive data contained within these project files, potentially exposing network configurations, operational process information, stored credentials, or intellectual property.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC information is implied by the CVSS vector (Local access required).
- Complexity: Low (Based on AV:L/AC:L)
- Attack Vector: Local (AV:L)
## Impact
- Confidentiality: High (C:H in vector)
- Integrity: None (I:N in vector)
- Availability: None (A:N in vector)
## Remediation
### Patches
- **EcoStruxure Control Expert / Unity Pro:** Update to **V15.1**. The fix is implemented via an additional feature called "file encryption" introduced in V15.0 SP1, which should be enabled. Customers using Unity Pro are strongly recommended to migrate to EcoStruxure Control Expert.
- **EcoStruxure Process Expert / Hybrid DCS:** Update to **V2021**. Refer to instructions for EcoStruxure Control Expert regarding encryption features.
- **SCADAPack RemoteConnect for x70:** Schneider Electric is establishing a remediation plan for future versions.
### Workarounds
For **all products** (where applicable until patched):
1. Store project files in secure storage and restrict access to trusted users only.
2. Encrypt project files when stored locally.
3. When exchanging files over the network, use secure communication protocols.
4. Only open project files received from trusted sources.
5. Compute a hash of each project file and regularly check its consistency to verify integrity before usage.
6. Harden the workstation running the affected software.
7. For Control Expert, configure security levels for Derived Function Blocks (DFB) in addition to file encryption (if running v15.0 SP1 or later).
## Detection
- **Indicators of Compromise:** Unauthorized access or reading of project files (.sta, etc.) or data being extracted from secure configuration workstations.
- **Detection methods and tools:** Monitor workstations for unusual file access patterns on project directories. Implement file integrity monitoring on critical project assets.
## References
- Vendor Advisory: Schneider Electric (Specific reference not provided in abstract)
- Kaspersky Advisory: hxxps://ics-cert.kaspersky.com/advisories/2022/05/20/klcert-21-007-schneider-electric-ecostruxure-control-expert-process-expert-scadapack-remoteconnect-for-x70-information-leak-from-project-file/