Information has been published about a critical vulnerability in the software used for configuring human-machine interfaces (HMI) in Schneider Electric industrial devices. The CVE-2020-7544 vulnerability rated at 7.8 on the CVSS v3.1 scale could cause a Windows local user privilege escalation when using Schneider Electric’s EcoStruxure™ Operator Terminal Expert (previously known as Vijeo XD) or Pro-face BLUE software or the WinGP runtime engine. The latter two products were found to be vulnerable in January 2021, while the vulnerability itself was first described two months prior to that.
EcoStruxure™ Operator Terminal Expert and Pro-face BLUE are designed for configuring HMI terminals which support gestures as well as flexible user interface designs. The WinGP runtime engine is a component of Schneider Electric HMI design and editing software.
The vendor has placed the vulnerability in the CWE 269 Improper Privilege Management category. The advisory states that systems running Windows which support UEFI are not vulnerable. The vendor recommends downloading the security update from their website for all other systems. No information is available about the specific type and characteristics of the vulnerability, which might not coincide with the weakness enumeration mentioned by Schneider Electric (CWE 269 Improper Privilege Management). Possibly, research into the security of the above products’ execution in the Windows environment is still underway.
Curiously, the vendor’s advisory rates the vulnerability at 7.4 on the CVSS 3.0 scale, citing the high complexity of the attack and the lack of privileges required for the attack (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A). At the same time, the NVD database states that the attack complexity is low, there is a minimal level of privileges required and thus the attack is rated at 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It is likely that the vendor can provide a more precise evaluation of the vulnerability given the specifics of exploitation in the OT environment. But the difference in ratings makes for more confusion in the already vague existing information about the vulnerability.
Vulnerability information publication date: November 10, 2020. Updated on January 12, 2021.
Source: Schneider Electric