back to article Another Schneider vuln: Plaintext passwords on client-side RAM resolved

Schneider Electric has issued a patch for its StruxureWare Data Center Expert industrial control kit following the discovery of a flaw that could allow remote access to unencrypted passwords. The product is designed to monitor physical infrastructure at data centres handling everything from cooling to backup generators. The …

  1. Dave 15 Silver badge

    unencrypted passwords?

    I thought that most architectures forced applications to ask about a password, they didn't get passwords to the app side to do strcmps

    At some point there is no stopping the fact that a password will be typed by a user and that if you have enough data on what is happening you can find out if the login was a success. If you can link the password to the success you have it.

    However that is relatively easy to solve. My bank in fact is the one I use because their security is better than most. For my account I have a password and a passnumber. When I want access the computer asks for 2 letters (e.g. letter 3 and letter 6), and then 2 numbers (e.g. number 1 and number 4). It then uses this for a yes no answer. Thus if you are listening you get the info for the session I have started, but nothing more. Next time it will ask for different letters and different numbers. You could listen for a long time and work it out but that would require patience and depend on my frequency of access.

  2. Anonymous Coward
    Facepalm

    The flaw – discovered

    "The flaw .. meant an attacker can recover passwords from RAM on the client side of the platform, where they are held in unencrypted form."

    OHH - really!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020