Issue:
Are StruxureWare DCE or NetBotz vulnerable to CVE-2017-7494 (Samba related vulnerability)?

Product Line
StruxureWare Data Center Expert (DCE) StruxureWare Central (SWC)
InfraStruXure Central (ISXC)


Environment
StruxureWare Data Center Expert (all versions)
StruxureWare Central (all versions)
InfraStruXure Central (all versions)

Cause:
Schneider Electric has become aware of a critical vulnerability in the daemon that offers file sharing capabilities in Samba. Samba is a suite of tools that helps in the interoperability between UNIX with Microsoft Windows allowing Linux, Mac and FreeBSD users to set up and share folders on Windows computers using the server message block (SMB) protocol. Experts say the vulnerability can be exploited with just one line of code and has the potential to spread quickly. Samba versions 3.5 (released March 1, 2010) and onwards are impacted.

The vulnerability allows an attacker to open a SMB share (TCP/445), upload a shared library to the writable share, and then cause the server to load and execute it.

CVE ID: CVE-2017-7494: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494

Samba Disclosure: https://www.samba.org/samba/security/CVE-2017-7494.html


Resolution:

NetBotz 4.X is not vulnerable to this issue because an unaffected version of Samba is used.

StruxureWare DCE v7.X runs on Linux but does not export SMB shares, so it is not vulnerable.  Since the Linux OS has samba packages installed that are necessary for client services, security scanners may continue to alert on the presence of CVE-2017-7494.  The next release of DCE v7.X available later in 2017 will include the latest patched libraries.

Cyber Security is an important element of Schneider Electrics' commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered.

Released for: Schneider Electric Vietnam