The critical issue is due to the fact that when a user is logging into the system, their credentials (username and password) are sent unencrypted to the system over the network connection between your device (the client device) and the system (the server). It is unclear from Schneider’s advisory by what means an attacker can discover the plaintext credentials (i.e. unencrypted user credentials (e.g. username and password)) but it is very likely by using a man-in-the-middle (MITM) (defined) attack or simply by having access to the client device and monitoring it’s network traffic.
Why Should This Issue Be Considered Important?
Since an attacker can potentially login in this automation system using the same credentials that you would, they can perform any action they wish which in the worst case scenario will be obtaining total control over the system.
In addition, there are no workarounds for this issue but Schneider are unaware of this issue being used to attack customers. This issue was responsibly disclosed (defined) to them by an independent security researcher, Artyom Kurbatov.
How Can I Protect Myself From This Issue?
Schneider have released an update to this automation system bring it to version 2.15. All versions previous to this are vulnerable to this issue. Please follow the directions within this ICS-CERT security advisory which also references the advisory from Schneider (PDF) for this issue to install the necessary update.
As mentioned in the ICS-CERT advisory if you are unsure about the risks of upgrading the firmware of your building management system, please contact your account manager or Schneider Technical Support for assistance.