back to article Schneider patches yet ANOTHER dumb vuln

Schneider Electric has pushed out a patch to an industrial control system which – stop me if you've heard this before – passes credentials between client and server in plain text. CVE-2015-3962 applies to the company's Struxureware Building Expert, prior to version 2.15, and the company has released an update to the system ( …

  1. mathew42
    FAIL

    wireshark?

    If this is as bad as it sounds, then wireshark on the network for 15 minutes should have found this. Given the bad stuff that can happen if these systems are hacked (see Iran) this is poor.

    Do Schneider not have someone with security in their QA department?

    Do the companies purchasing this gear not have a security person in their IT department?

    1. frank ly

      Re: wireshark?

      "Do the companies purchasing this gear not have a security person in their IT department?"

      They might do, but as an old engineer said to me many years ago, "Why should I put any effort into assessing bids when they always buy the cheapest one no matter what I say?"

      1. Robert Helpmann??
        Childcatcher

        Re: wireshark?

        ...but as an old engineer said to me many years ago...

        I can only provide one up-vote for this though it deserves more than just the one. I wish there was some commonly used way of bidding purchases (and contracts, for that matter) that filtered out those that are a lousy deal at any price.

  2. Pascal Monett Silver badge
    Coat

    Okay, so it's a stupid mistake

    But it's an industrial thingy. Who says the threat was real ? If companies set up the production network physically airgapped from the Internet, then what's the problem ?

    Oh, of course, silly me. Expecting production lines to be separate from beancounter PCs who obviously have to access Facebook as well when they're not providing colored charts to Upper Manglement detailing the day's production down to the minute.

    Ok, I'm off.

  3. jake Silver badge

    One word:

    Dumbasses.

    OK, couple more words ... Remember back when Sun Microsystems shipped all systems with a default root login/password? Took years to clean up after that bone-headed mistake. In fact, I just re-purposed a Sun 3/470 with the original, factory /etc/passwd file ... It had been online for nearly 25 years, gawd/ess only knows how many times it was compromised ... I went into fsdb to see if I could figure out when the system logs were disabled, but that info was long-gone.

    She's running NetBSD today, and looks a lot happier.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like