Full Report
The vulnerability could cause a Windows local user privilege escalation when using EcoStruxure™ Operator Terminal Expert and Pro-face BLUE software and WinGP runtime environment by Schneider Electric.
Analysis Summary
# Vulnerability: Local Privilege Escalation in Schneider Electric HMI Software
## CVE Details
- **CVE ID:** CVE-2020-28213
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-284 (Improper Access Control) / CWE-732 (Incorrect Permission Assignment for Critical Resource)
## Affected Systems
- **Products:**
- EcoStruxure™ Operator Terminal Expert
- Pro-face BLUE
- WinGP (Runtime Environment)
- **Versions:**
- EcoStruxure™ Operator Terminal Expert: Versions prior to v3.2
- Pro-face BLUE: Versions prior to v3.2
- WinGP: All versions associated with the above software releases prior to v3.2
- **Configurations:** Systems where the software is installed on Windows OS and accessible by a local user with standard privileges.
## Vulnerability Description
The vulnerability stems from improper access control settings on specific folders and files used by the HMI configuration software. An unprivileged local user could modify or replace critical application files or configuration data. Because these applications often run with elevated system permissions or interact with high-privilege services, a local attacker can exploit these weak permissions to execute arbitrary code in the context of a higher-privileged user, effectively achieving Local Privilege Escalation (LPE).
## Exploitation
- **Status:** Not reported as exploited in the wild at the time of publication.
- **Complexity:** Low
- **Attack Vector:** Local (Attacker must have local access to the machine).
## Impact
- **Confidentiality:** High (Access to all system data upon escalation).
- **Integrity:** High (Ability to modify system files and application logic).
- **Availability:** High (Ability to crash the system or disable HMI services).
## Remediation
### Patches
Schneider Electric has released updates to address these vulnerabilities. Users are advised to update to the following versions:
- **EcoStruxure™ Operator Terminal Expert:** Update to v3.2 or later.
- **Pro-face BLUE:** Update to v3.2 or later.
### Workarounds
If immediate patching is not possible:
- Strictly limit physical and remote access to HMI workstations to authorized personnel only.
- Implement the principle of least privilege (PoLP) and ensure standard users do not have write access to application directories (e.g., `C:\Program Files...` or `C:\ProgramData...` associated with Schneider Electric).
## Detection
- **Indicators of Compromise:**
- Unauthorized changes to executable files (`.exe`, `.dll`) or configuration files within the Schneider Electric installation directories.
- Identification of new, unknown local accounts with administrative privileges.
- **Detection methods and tools:**
- Monitor Windows File Integrity Monitoring (FIM) logs for changes in restricted application folders.
- Use security auditing tools to scan for "Insecure File/Folder Permissions" (e.g., PowerUp or similar audit scripts).
## References
- **Vendor Advisories:**
- Schneider Electric Security Notification SEVD-2021-012-01: hxxps[://]www[.]se[.]com/ww/en/download/document/SEVD-2021-012-01/
- **Relevant Links:**
- Kaspersky ICS CERT Advisory: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2021/01/26/critical-vulnerability-in-schneider-electric-hmi-configuration-software/
- MITRE CVE Entry: hxxps[://]cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2020-28213