Request a Demo
Rewterz
Rewterz Threat Advisory – ICS: Rockwell Automation 1734-AENTR Series B and Series C
March 5, 2021
Rewterz
Rewterz Threat Alert – Agent Tesla Malware – Active IOCs
March 5, 2021

Rewterz Threat Advisory – ICS: Schneider Electric EcoStruxure Building Operation (EBO)

Severity

High

Analysis Summary

CVE-2020-7569

An unrestricted upload of a file with dangerous type vulnerability could allow an authenticated remote user to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution.

CVE-2020-7570

An improper neutralization of an input during webpage generation vulnerability could allow an authenticated remote user to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a stored cross-site scripting attack against other WebReport users.

CVE-2020-7571

Multiple improper neutralizations of an input during webpage generation vulnerabilities could allow a remote attacker to inject arbitrary web script or HTML due to incorrect sanitization of user supplied data and achieve a reflected cross-site scripting attack against other WebReport users.

CVE-2020-7572 

An improper restriction of XML external entity reference vulnerability could allow an authenticated remote user to inject arbitrary XML code and obtain disclosure of confidential data, cause a denial-of-service condition, or execute server-side request forgery due to improper configuration of the XML parser.

CVE-2020-7573 

An improper access control vulnerability could allow a remote attacker access to restricted web resources due to improper access control.

CVE-2020-28209

An unquoted search path vulnerability could allow any local Windows user with write permissions on at least one of the subfolders of the connect agent service binary path to gain the privilege of the user who started the service. 

CVE-2020-28210 

An improper neutralization of an input during webpage generation vulnerability could allow an attacker to inject HTML and JavaScript code into the user’s browser.

Impact

Loss of availability Confidentiality Integrity

Affected Vendors

Schneider Electric

Affected Products

  • WebReports v1.9 – v3.1
  • WebStation v2.0 – v3.1
  • Enterprise Server installer v1.9 – v3.1
  • Enterprise Central installer v2.0 – v3.1

Remediation

Schneider Electric recommends users upgrade to Version 3.2