Schneider Electric SCADA Expert ClearSCADA Improper Authentication
Summary
| CVE | CVE-2014-5412 |
|---|---|
| State | PUBLISHED |
| Assigner | icscert |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-09-18 10:55:11 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account. |
Risk And Classification
Primary CVSS: v2.0 5 from [email protected]
AV:N/AC:L/Au:N/C:P/I:N/A:N
Problem Types: CWE-287 | CWE-264 | CWE-287 CWE-287
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 2.0 | [email protected] | Primary | 5 | AV:N/AC:L/Au:N/C:P/I:N/A:N | |
| 2.0 | [email protected] | Secondary | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:N | |
| 2.0 | CNA | CVSS | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:N |
CVSS v2.0 Breakdown
AV:N/AC:L/Au:N/C:P/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Aveva | Clearscada | 2010 | r3 | All | All |
| Application | Aveva | Clearscada | 2010 | r3.1 | All | All |
| Application | Aveva | Clearscada | 2013 | r1 | All | All |
| Application | Aveva | Clearscada | 2013 | r1.1 | All | All |
| Application | Aveva | Clearscada | 2013 | r1.1a | All | All |
| Application | Aveva | Clearscada | 2013 | r1.2 | All | All |
| Application | Aveva | Clearscada | 2013 | r2 | All | All |
| Application | Schneider-electric | Scada Expert Clearscada | 2013 | r2.1 | All | All |
| Application | Schneider-electric | Scada Expert Clearscada | 2014 | r1 | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Schneider Electric | ClearSCADA | affected 2010 R3 (build 72.4560) | Not specified |
| CNA | Schneider Electric | ClearSCADA | affected 2010 R3.1 (build 72.4644) | Not specified |
| CNA | Schneider Electric | ClearSCADA | unaffected 2010 R3.2 | Not specified |
| CNA | Schneider Electric | SCADA Expert ClearSCADA | affected 2013 R1 (build 73.4729) | Not specified |
| CNA | Schneider Electric | SCADA Expert ClearSCADA | affected 2013 R1.1 (build 73.4832) | Not specified |
| CNA | Schneider Electric | SCADA Expert ClearSCADA | affected 2013 R1.1a (build 73.4903) | Not specified |
| CNA | Schneider Electric | SCADA Expert ClearSCADA | affected 2013 R1.2 (build 73.4955) | Not specified |
| CNA | Schneider Electric | SCADA Expert ClearSCADA | affected 2013 R2 (build 74.5094) | Not specified |
| CNA | Schneider Electric | SCADA Expert ClearSCADA | affected 2013 R2.1 (build 74.5192) | Not specified |
| CNA | Schneider Electric | SCADA Expert ClearSCADA | affected 2014 R1 (build 75.5210) | Not specified |
| CNA | Schneider Electric | SCADA Expert ClearSCADA | unaffected 2014 R1.1 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.cisa.gov/news-events/ics-advisories/icsa-14-259-01a | [email protected] | www.cisa.gov | |
| Schneider Electric SCADA Expert ClearSCADA Vulnerabilities (Update A) | ICS-CERT | af854a3a-2127-422b-91ae-364da2661108 | ics-cert.us-cert.gov | Third Party Advisory, US Government Resource |
| github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-25... | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Aditya Sood (en)
Additional Advisory Data
Solutions
CNA: Schneider Electric advises all ClearSCADA users to take steps to secure the interfaces to the ClearSCADA system. The ClearSCADA database security configuration should be reviewed and updated to limit all system access to authorized users only. The access permissions of existing users should be reduced to only those required by their role (e.g., removing any higher level System Administration privileges from Operations or Engineering users), and specific accounts should be created with appropriate permissions for performing System Administration tasks. Existing ClearSCADA customers using WebX can protect their system from cross-site scripting attacks by disabling the “Allow database shutdown via WebX” option within the ClearSCADA Server Configuration utility. Existing ClearSCADA customers should take measures to ensure their system does not grant any system access until users have supplied a valid username and password. Schneider Electric has corrected the default user security permissions; however, upgrading an existing vulnerable installation to a new version will not affect existing configured database security permissions. Therefore, the measures suggested here are strongly recommended for all users. Schneider Electric has corrected these vulnerabilities in the following service packs: * ClearSCADA 2010 R3.2, Released October 2014, and * SCADA Expert ClearSCADA 2014 R1.1, Released October 2014. If asset owners wish to upgrade to a new ClearSCADA Service Pack, please contact the local Schneider Electric office for the latest software version for ClearSCADA; alternatively, these new versions are available for direct download from the Schneider Electric web site. To update their license (not required when upgrading to a service pack of the same version), asset owners are required to complete and submit an online form, which is available here: http://resourcecenter.controlmicrosystems.com/display/CS/StruxureWare+SCADA+Expert+ClearSCADA+Update... http://resourcecenter.controlmicrosystems.com/display/CS/StruxureWare+SCADA+Expert+ClearSCADA+Update+Request+Form New Service packs for ClearSCADA are available for download here: http://resourcecenter.controlmicrosystems.com/display/CS/SCADA+Expert+ClearSCADA+Support General instructions on how to upgrade the ClearSCADA license (if required) are available here: http://resourcecenter.controlmicrosystems.com/display/CS/Updating+Your+ClearSCADA+License