Red Team Research Discovered 6 new zero-day Vulnerabilities in Schneider Electric StruxureWare

“A zero-day vulnerability is a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the flaw. It has the potential to be exploited by cybercriminals” – Norton.

A team was setup by TIM’s Cybersecurity to detect the vulnerabilities that a potential attacker could exploit to carry out particular attacks on TIM’s infrastructure and highlight the real impacts found out.

The activity was targeted at not just known vulnerabilities, but also at zero-day vulnerabilities (vulnerabilities not known publicly)

Any zero day vulnerabilities found would be discreetly communicated to the manufacturer of the software to analyse and fix/patch the bug within 90 days

Schneider Electric, a European MNC which provides energy and automation solutions for efficiency and sustainability was the recent beneficiary of a few of the findings of this team.

The 6 vulnerabilities which are found are addressed below:

CVE-2020-7569

Vulnerability Description:  Unrestricted Upload of File with Dangerous Type
Software Version: VAM:  Schneider Electric StruxureWare Building Operation WebReports versions 1.0 – 3.1.
CVSv3: 4.6
Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause an authenticated remote user being able to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution.

CVE-2020-7572

Vulnerability Description: Improper Restriction of XML External Entity Reference
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
CVSv3: 6.7A remote user, authenticated to Building Operation WebReports, is able to inject arbitrary XML code containing a reference to an external entity via a crafted HTTP request into the server-side XML parser without being sanitized. By exploiting this vulnerability, an attacker can access the contents of a file on the system potentially containing sensitive data, other restricted web resources via server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts like a denial of service.

CVE-2020-28209

Vulnerability Description: Windows Unquoted Search Path
Software Version: Schneider Electric StruxureWare Building Operation Enterprise Server Installer versions 1.0 – 3.1 and Enterprise Central Installer versions 2.0 – 3.1.
CVSv3: 2.0Any local Windows user who has to write permission on at least one of the subfolders of the Connect Agent service binary path, being able to gain the privilege of the user who started the service. By default, the Enterprise Server and Enterprise Central are always installed at a location requiring Administrator privileges so the vulnerability is only valid if the application has been installed on a non-secure location.

CVE-2020-7570

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Stored)
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
CVSv3: 6.4
Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users.

CVE-2020-7571

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Reflected)
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
CVSv3: 6.1
Multiple Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Reflected) vulnerability exists that could cause a remote attacker to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting reflected attack against other WebReport users.

CVE-2020-7573

Vulnerability Description: Improper Access Control
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
CVSv3: 5.0
A remote non-authenticated attacker is able to access a restricted web resource due to improper access control.