Schneider Electric ASCO 5310 and 5350 Remote Annunciators Resource Allocation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the ASCO 5310 Single-Channel Remote Annunciator and ASCO 5350 Eight-Channel Remote Annunciator. This vulnerability, classified under CWE-770, allows for the allocation of resources without limits or throttling. When malicious packets are sent to the device's web server, communications can be disrupted, potentially causing a loss of availability or integrity for the remote annunciator functions. However, the basic operation of the transfer switch itself remains unaffected.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing communications to the device to stop and disrupting the remote annunciator's ability to monitor transfer switch status or perform transfer/retransfer operations.

Remediation

Users are advised to operate these remote annunciator devices in a protected environment, minimizing network exposure and ensuring they are not accessible from the public internet or untrusted networks. Default passwords should be changed to prevent unauthorized access to device settings and information. Network segmentation should be implemented, and firewalls should be used to block unauthorized access to the annunciator's web server port. For the ASCO 5310, refer to the 'Installation Manual | ASCO 5310 ATS Remote Annunciator', and for the ASCO 5350, consult the 'Installation Manual | ASCO 5350 ATS Remote Annunciator'. Schneider Electric is also developing a remediation plan for future versions of these products.