SlideShare a Scribd company logo

Schneider Electric Security Notification - spaceLYnk & Wiser for KNX (formerly homeLYnk)

Ismail Tasdelen
Ismail Tasdelen

Schneider Electric Security Notification - spaceLYnk & Wiser for KNX (formerly homeLYnk) Schneider Electric is aware of a vulnerability in the spaceLYnk and Wiser for KNX (formerly known as homeLYnk) products. All hardware versions of: • spaceLYnk • Wiser for KNX (formerly homeLYnk) CVE ID: CVE-2020-7525 CVSS v3.0 Base Score 7.5 | High | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists which could allow an attacker to guess a password when brute force is used.

Technology
1 of 4
Download to read offline
Schneider Electric Security Notification 11-Aug-20 Document Reference Number – SEVD-2020-224-02 Page 1 of 3 spaceLYnk & Wiser for KNX (formerly homeLYnk) 11 August 2020 Overview Schneider Electric is aware of a vulnerability in the spaceLYnk and Wiser for KNX (formerly known as homeLYnk) products. Affected Product(s) All hardware versions of: • spaceLYnk • Wiser for KNX (formerly homeLYnk) Vulnerability Details CVE ID: CVE-2020-7525 CVSS v3.0 Base Score 7.5 | High | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists which could allow an attacker to guess a password when brute force is used. Remediation This vulnerability is fixed in V2.5.1 and is available for download below: spaceLYnk: https://www.se.com/ww/en/product/LSS100200/spacelynk-logic-controller/ Wiser for KNX (formerly homeLYnk): https://www.se.com/ww/en/product/LSS100100/wiser-for- knx-logic-controller/ The following workarounds and mitigations can be applied by customers to reduce the risk: • Keep the spaceLYnk and Wiser for KNX (formerly homeLYnk) devices behind a firewall, create a firewall rule to whitelist only those devices allowed to access spaceLYnk and Wiser for KNX (formerly homeLYnk) devices; do not allow direct access to the internet. • Follow the General Security Recommendations in the section below.
Schneider Electric Security Notification 11-Aug-20 Document Reference Number – SEVD-2020-224-02 Page 2 of 3 Product Information Wiser for KNX (formerly known as homeLYnk) is a personalized home automation solution, offering a complete system based on open protocols: KNX, Modbus, BACnet and IP. spaceLYnk allows efficient facility management thanks to the convenient web-based user interface with maintenance information. Product Category - Residential and Small Business Learn more about Schneider Electric’s product categories here: https://www.se.com/us/en/all-products How to determine if you are affected All spaceLYnk and KNX (formerly homeLYnk) firmware versions before 2.5.1 are affected and should update to V2.5.1. General Security Recommendations We strongly recommend the following industry cybersecurity best practices. • Locate networks and remote devices behind firewalls and isolate them from the business network. • Install physical controls so no unauthorized personnel can access your components, peripheral equipment, and networks. • Never connect configuration software to any network other than the network for the devices that it is intended for. • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. • Never allow laptops that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. • Minimize network exposure for all devices and systems; ensure that they are not accessible from the Internet. • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
Schneider Electric Security Notification 11-Aug-20 Document Reference Number – SEVD-2020-224-02 Page 3 of 3 Acknowledgements Schneider Electric recognizes the following researcher(s) for identifying and helping to coordinate a response to this vulnerability: CVE Researcher(s) Name CVE-2020-7525 Ismail Tasdelen For More Information This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, please contact your local Schneider Electric representative and/or Schneider Electric Industrial Cybersecurity Services. These organizations will be fully aware of this situation and can support you through the process. https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp https://www.se.com/ww/en/work/services/field-services/industrial-automation/industrial- cybersecurity/industrial-cybersecurity.jsp Legal Disclaimer THIS DOCUMENT IS INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE USE OF THIS NOTIFICATION, INFORMATION CONTAINED HEREIN, OR MATERIALS LINKED TO IT ARE AT YOUR OWN RISK. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION. About Schneider Electric At Schneider, we believe access to energy and digital is a basic human right. We empower all to make the most of their energy and resources, ensuring Life Is On everywhere, for everyone, at every moment. We provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.
Schneider Electric Security Notification 11-Aug-20 Document Reference Number – SEVD-2020-224-02 Page 4 of 3 We are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate about our Meaningful Purpose, Inclusive and Empowered values. www.se.com Revision Control: Version 1 11 August 2020 Original Release Product Security Office Digitally signed by Product Security Office Date: 2020.08.08 18:13:29 -04'00'

Recommended

Schneider Electric Security Notification Security Notification -Embedded Web ...
Schneider Electric Security Notification Security Notification -Embedded Web ...Schneider Electric Security Notification Security Notification -Embedded Web ...
Schneider Electric Security Notification Security Notification -Embedded Web ...
Ismail Tasdelen
 
Conext SmartBox-BA Owners Guide (975-0752-01-01_Rev-C)_ENG
Conext SmartBox-BA Owners Guide (975-0752-01-01_Rev-C)_ENGConext SmartBox-BA Owners Guide (975-0752-01-01_Rev-C)_ENG
Conext SmartBox-BA Owners Guide (975-0752-01-01_Rev-C)_ENG
Jayvee Vergara
 
Y1299-90001_StartupGuide
Y1299-90001_StartupGuideY1299-90001_StartupGuide
Y1299-90001_StartupGuide
Chris Muntzer
 
1578545905_DAQ970AUG.pdf
1578545905_DAQ970AUG.pdf1578545905_DAQ970AUG.pdf
1578545905_DAQ970AUG.pdf
Douglas303925
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス
chomchana trevai
 
7 en02 0330-00
7 en02 0330-007 en02 0330-00
7 en02 0330-00
pilyoing
 
GE디지털 월드테크 브로셔(GE Digital Wurldtech)
GE디지털 월드테크 브로셔(GE Digital Wurldtech)GE디지털 월드테크 브로셔(GE Digital Wurldtech)
GE디지털 월드테크 브로셔(GE Digital Wurldtech)
GE코리아
 

Recommended

Schneider Electric Security Notification Security Notification -Embedded Web ...
Schneider Electric Security Notification Security Notification -Embedded Web ...Schneider Electric Security Notification Security Notification -Embedded Web ...
Schneider Electric Security Notification Security Notification -Embedded Web ...
Ismail Tasdelen
 
Conext SmartBox-BA Owners Guide (975-0752-01-01_Rev-C)_ENG
Conext SmartBox-BA Owners Guide (975-0752-01-01_Rev-C)_ENGConext SmartBox-BA Owners Guide (975-0752-01-01_Rev-C)_ENG
Conext SmartBox-BA Owners Guide (975-0752-01-01_Rev-C)_ENG
Jayvee Vergara
 
Y1299-90001_StartupGuide
Y1299-90001_StartupGuideY1299-90001_StartupGuide
Y1299-90001_StartupGuide
Chris Muntzer
 
1578545905_DAQ970AUG.pdf
1578545905_DAQ970AUG.pdf1578545905_DAQ970AUG.pdf
1578545905_DAQ970AUG.pdf
Douglas303925
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス
chomchana trevai
 
7 en02 0330-00
7 en02 0330-007 en02 0330-00
7 en02 0330-00
pilyoing
 
GE디지털 월드테크 브로셔(GE Digital Wurldtech)
GE디지털 월드테크 브로셔(GE Digital Wurldtech)GE디지털 월드테크 브로셔(GE Digital Wurldtech)
GE디지털 월드테크 브로셔(GE Digital Wurldtech)
GE코리아
 
S000342 t
S000342 tS000342 t
S000342 t
mark scott
 
Smart viewreporter
Smart viewreporterSmart viewreporter
Smart viewreporter
sagarsethi87
 
Managed Vulnerability Scan
Managed Vulnerability ScanManaged Vulnerability Scan
Managed Vulnerability Scan
Shawn Jordan
 
505 de vol1 copy
505 de vol1 copy505 de vol1 copy
505 de vol1 copy
Ravi shankar
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析
Onward Security
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
CoreTrace Corporation
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:
CoreTrace Corporation
 
Ivanti Security Controls.pptx
Ivanti Security Controls.pptxIvanti Security Controls.pptx
Ivanti Security Controls.pptx
FarhanSaifudin2
 
Vijeo citect quick start tutorial - part 1 ver d
Vijeo citect quick start tutorial - part 1 ver dVijeo citect quick start tutorial - part 1 ver d
Vijeo citect quick start tutorial - part 1 ver d
Abdul Budiman
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber Security
Schneider Electric
 
Network Security v1.0 Network Security v
Network Security v1.0 Network Security vNetwork Security v1.0 Network Security v
Network Security v1.0 Network Security v
SYYULIANISKOMMT
 
M_SERIES_621x.pdfeiefwqifuiewqfbhiqufhua
M_SERIES_621x.pdfeiefwqifuiewqfbhiqufhuaM_SERIES_621x.pdfeiefwqifuiewqfbhiqufhua
M_SERIES_621x.pdfeiefwqifuiewqfbhiqufhua
tungduong17062003
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
CloudExpoEurope
 
Msi k9 n_series_manual
Msi k9 n_series_manualMsi k9 n_series_manual
Msi k9 n_series_manual
escuelaem
 
Firewall ppt.pptx
Firewall ppt.pptxFirewall ppt.pptx
Firewall ppt.pptx
BhushanLokhande12
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET Journal
 
Industrial Cyber Security - EVF 2019 Alexandre Darcherif
Industrial Cyber Security - EVF 2019 Alexandre DarcherifIndustrial Cyber Security - EVF 2019 Alexandre Darcherif
Industrial Cyber Security - EVF 2019 Alexandre Darcherif
Alexandre Darcherif
 
CS155 Computer And Network Security.docx
CS155 Computer And Network Security.docxCS155 Computer And Network Security.docx
CS155 Computer And Network Security.docx
write31
 
Defending against industrial malware
Defending against industrial malwareDefending against industrial malware
Defending against industrial malware
Ayed Al Qartah
 
SHIELD_overview_presentation_INFOCOM2018.pptx
SHIELD_overview_presentation_INFOCOM2018.pptxSHIELD_overview_presentation_INFOCOM2018.pptx
SHIELD_overview_presentation_INFOCOM2018.pptx
officelifehq
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
Lorenzo Miniero
 

More Related Content

Similar to Schneider Electric Security Notification - spaceLYnk & Wiser for KNX (formerly homeLYnk)

Smart viewreporter
Smart viewreporterSmart viewreporter
Smart viewreporter
sagarsethi87
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
CoreTrace Corporation
 
Vijeo citect quick start tutorial - part 1 ver d
Vijeo citect quick start tutorial - part 1 ver dVijeo citect quick start tutorial - part 1 ver d
Vijeo citect quick start tutorial - part 1 ver d
Abdul Budiman
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber Security
Schneider Electric
 
Msi k9 n_series_manual
Msi k9 n_series_manualMsi k9 n_series_manual
Msi k9 n_series_manual
escuelaem
 
CS155 Computer And Network Security.docx
CS155 Computer And Network Security.docxCS155 Computer And Network Security.docx
CS155 Computer And Network Security.docx
write31
 
Defending against industrial malware
Defending against industrial malwareDefending against industrial malware
Defending against industrial malware
Ayed Al Qartah
 

Similar to Schneider Electric Security Notification - spaceLYnk & Wiser for KNX (formerly homeLYnk) (20)

S000342 t
S000342 tS000342 t
S000342 t
 
Smart viewreporter
Smart viewreporterSmart viewreporter
Smart viewreporter
 
Managed Vulnerability Scan
Managed Vulnerability ScanManaged Vulnerability Scan
Managed Vulnerability Scan
 
505 de vol1 copy
505 de vol1 copy505 de vol1 copy
505 de vol1 copy
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:
 
Ivanti Security Controls.pptx
Ivanti Security Controls.pptxIvanti Security Controls.pptx
Ivanti Security Controls.pptx
 
Vijeo citect quick start tutorial - part 1 ver d
Vijeo citect quick start tutorial - part 1 ver dVijeo citect quick start tutorial - part 1 ver d
Vijeo citect quick start tutorial - part 1 ver d
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber Security
 
Network Security v1.0 Network Security v
Network Security v1.0 Network Security vNetwork Security v1.0 Network Security v
Network Security v1.0 Network Security v
 
M_SERIES_621x.pdfeiefwqifuiewqfbhiqufhua
M_SERIES_621x.pdfeiefwqifuiewqfbhiqufhuaM_SERIES_621x.pdfeiefwqifuiewqfbhiqufhua
M_SERIES_621x.pdfeiefwqifuiewqfbhiqufhua
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Msi k9 n_series_manual
Msi k9 n_series_manualMsi k9 n_series_manual
Msi k9 n_series_manual
 
Firewall ppt.pptx
Firewall ppt.pptxFirewall ppt.pptx
Firewall ppt.pptx
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
 
Industrial Cyber Security - EVF 2019 Alexandre Darcherif
Industrial Cyber Security - EVF 2019 Alexandre DarcherifIndustrial Cyber Security - EVF 2019 Alexandre Darcherif
Industrial Cyber Security - EVF 2019 Alexandre Darcherif
 
CS155 Computer And Network Security.docx
CS155 Computer And Network Security.docxCS155 Computer And Network Security.docx
CS155 Computer And Network Security.docx
 
Defending against industrial malware
Defending against industrial malwareDefending against industrial malware
Defending against industrial malware
 
SHIELD_overview_presentation_INFOCOM2018.pptx
SHIELD_overview_presentation_INFOCOM2018.pptxSHIELD_overview_presentation_INFOCOM2018.pptx
SHIELD_overview_presentation_INFOCOM2018.pptx
 

Recently uploaded

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Skynet Technologies
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Paige Cruz
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 

Recently uploaded (20)

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 

Schneider Electric Security Notification - spaceLYnk & Wiser for KNX (formerly homeLYnk)

  • 1. Schneider Electric Security Notification 11-Aug-20 Document Reference Number – SEVD-2020-224-02 Page 1 of 3 spaceLYnk & Wiser for KNX (formerly homeLYnk) 11 August 2020 Overview Schneider Electric is aware of a vulnerability in the spaceLYnk and Wiser for KNX (formerly known as homeLYnk) products. Affected Product(s) All hardware versions of: • spaceLYnk • Wiser for KNX (formerly homeLYnk) Vulnerability Details CVE ID: CVE-2020-7525 CVSS v3.0 Base Score 7.5 | High | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists which could allow an attacker to guess a password when brute force is used. Remediation This vulnerability is fixed in V2.5.1 and is available for download below: spaceLYnk: https://www.se.com/ww/en/product/LSS100200/spacelynk-logic-controller/ Wiser for KNX (formerly homeLYnk): https://www.se.com/ww/en/product/LSS100100/wiser-for- knx-logic-controller/ The following workarounds and mitigations can be applied by customers to reduce the risk: • Keep the spaceLYnk and Wiser for KNX (formerly homeLYnk) devices behind a firewall, create a firewall rule to whitelist only those devices allowed to access spaceLYnk and Wiser for KNX (formerly homeLYnk) devices; do not allow direct access to the internet. • Follow the General Security Recommendations in the section below.
  • 2. Schneider Electric Security Notification 11-Aug-20 Document Reference Number – SEVD-2020-224-02 Page 2 of 3 Product Information Wiser for KNX (formerly known as homeLYnk) is a personalized home automation solution, offering a complete system based on open protocols: KNX, Modbus, BACnet and IP. spaceLYnk allows efficient facility management thanks to the convenient web-based user interface with maintenance information. Product Category - Residential and Small Business Learn more about Schneider Electric’s product categories here: https://www.se.com/us/en/all-products How to determine if you are affected All spaceLYnk and KNX (formerly homeLYnk) firmware versions before 2.5.1 are affected and should update to V2.5.1. General Security Recommendations We strongly recommend the following industry cybersecurity best practices. • Locate networks and remote devices behind firewalls and isolate them from the business network. • Install physical controls so no unauthorized personnel can access your components, peripheral equipment, and networks. • Never connect configuration software to any network other than the network for the devices that it is intended for. • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. • Never allow laptops that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. • Minimize network exposure for all devices and systems; ensure that they are not accessible from the Internet. • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
  • 3. Schneider Electric Security Notification 11-Aug-20 Document Reference Number – SEVD-2020-224-02 Page 3 of 3 Acknowledgements Schneider Electric recognizes the following researcher(s) for identifying and helping to coordinate a response to this vulnerability: CVE Researcher(s) Name CVE-2020-7525 Ismail Tasdelen For More Information This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, please contact your local Schneider Electric representative and/or Schneider Electric Industrial Cybersecurity Services. These organizations will be fully aware of this situation and can support you through the process. https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp https://www.se.com/ww/en/work/services/field-services/industrial-automation/industrial- cybersecurity/industrial-cybersecurity.jsp Legal Disclaimer THIS DOCUMENT IS INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE USE OF THIS NOTIFICATION, INFORMATION CONTAINED HEREIN, OR MATERIALS LINKED TO IT ARE AT YOUR OWN RISK. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION. About Schneider Electric At Schneider, we believe access to energy and digital is a basic human right. We empower all to make the most of their energy and resources, ensuring Life Is On everywhere, for everyone, at every moment. We provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.
  • 4. Schneider Electric Security Notification 11-Aug-20 Document Reference Number – SEVD-2020-224-02 Page 4 of 3 We are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate about our Meaningful Purpose, Inclusive and Empowered values. www.se.com Revision Control: Version 1 11 August 2020 Original Release Product Security Office Digitally signed by Product Security Office Date: 2020.08.08 18:13:29 -04'00'