Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Schneider Electric Accutech Manager RFManagerService.exe Denial of Service

High

Synopsis

A stack exhaustion denial-of-service vulnerability exists in Schneider Electric Accutech Manager RFManagerService.exe v2.8.0.0. An unauthenticated remote attacker could exploit it to terminate the process by supplying an excessively long string to the service endpoint.

Solution

Upgrade to the latest version supplied by the vendor. At the time of this writing, that would be version 2.10.0.

Disclosure Timeline

May 28, 2024 - Tenable discloses to Schneider Electric.
May 29, 2024 - Schneider Electric acknowledges report and assigns reference ID SE-14590.
June 17, 2024 - Tenable requests status update from Schneider Electric.
June 18, 2024 - Schneider Electric provides status update.
July 15, 2024 - Tenable requests status update from Schneider Electric.
July 24, 2024 - Schneider Electric provides status update and requests disclosure extension. Tenable requests further information.
July 25, 2024 - Schneider Electric provides additional information and clarifies prior statements..
July 29, 2024 - Tenable reminds Schneider Electric of our disclosure policy and suggests releasing patches in upcoming August patch cycle or on the original disclosure deadline.
July 30, 2024 - Schneider Electric agrees to release patches in their August 13 patching cycle. Tenable acknowledges.
August 7, 2024 - Schneider Electric requests advisory preview. Tenable sends advisory draft.
August 12, 2024 - Schneider Electric requests minor change to advisory draft. Tenable complies.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2024-29
CVSSv3 Base / Temporal Score:
7.5 / 6.7
CVSSv3 Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
Schneider Electric Accutech Manager RFManagerService.exe v2.8.0.0 and prior
Risk Factor:
High

Advisory Timeline

August 13, 2024 - Initial release.