StruxureWare DCE 或 NetBotz 產品會受到 Stack Clash的攻擊嗎?

A:

o NetBotz 4.X is not vulnerable to this issue because NetBotz doesn’t use glibc and it also doesn’t use a kernel that is vulnerable.

o StruxureWare DCE v7.X is “vulnerable”, as it would show in security scans. However, to exploit the vulnerability, an individual needs local system access and DCE does not provide local unprivileged user shell access. This means there is nothing to exploit. Since the Linux OS has affected packages installed that are part of the overall OS, security scanners may continue to alert on the presence of associated CVE IDs. The next release of DCE v7.X available later in 2017 will include the latest patched libraries.

Cyber Security is an important element of Schneider Electrics’ commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered.