Full Report
The vulnerability affects the Schneider Electric Software Update (SESU) tool, which is used to notify users when updated Schneider Electric software is available
Analysis Summary
# Vulnerability: Schneider Electric Software Update (SESU) Insecure File Permissions
## CVE Details
- **CVE ID:** CVE-2018-7801
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-276 (Incorrect Default Permissions)
## Affected Systems
- **Products:** Schneider Electric Software Update (SESU)
- **Versions:** All versions prior to v2.2.0
- **Configurations:** Systems where the SESU tool is installed to manage Schneider Electric software updates.
## Vulnerability Description
A vulnerability exists in the Schneider Electric Software Update (SESU) tool due to insecure file permissions (CWE-276) within the application's installation folder. Specifically, the tool sets weak Access Control Lists (ACLs) on its executable files or directories. An authenticated local attacker can replace the legitimate SESU binary with a malicious file. Because the SESU service runs with elevated system privileges, the malicious code will execute with those same high-level privileges when the service starts or the update process is triggered.
## Exploitation
- **Status:** PoC available (Technique is a well-known "Service File Permissions" privilege escalation)
- **Complexity:** Low
- **Attack Vector:** Local (Requires local access to the machine to modify files)
## Impact
- **Confidentiality:** High (Full access to system data)
- **Integrity:** High (Ability to modify system files and configurations)
- **Availability:** High (Ability to disable services or the entire system)
## Remediation
### Patches
- **Upgrade to SESU v2.2.0 or later.**
- This version corrects the file system permissions during the installation process to prevent unauthorized modification.
- The update can be obtained via the SESU tool itself (if functional) or from the Schneider Electric website.
### Workarounds
- **Manual Permission Hardening:** Manually restrict write access to the SESU installation directory (typically `%ProgramFiles(x86)%\Schneider Electric\Software Update`) so only Administrators/SYSTEM have "Write" and "Modify" permissions.
- **Principle of Least Privilege:** Ensure users do not have administrative rights on workstations unless strictly necessary, though this vulnerability specifically targets the escalation from user to SYSTEM.
## Detection
- **Indicators of Compromise:**
- Presence of unauthorized or unsigned `.exe` files in the SESU installation directory.
- Unexpected system-level activity originating from the `SESU.exe` process (or related service binaries).
- **Detection Methods:**
- Audit file system permissions for the SESU folder using tools like `icacls` or PowerShell.
- Monitor for "File Write" events in the Program Files directory by non-administrative users.
## References
- **Schneider Electric Advisory:** hxxps[://]www[.]se[.]com/ww/en/download/document/SEVD-2018-282-01/
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/blog/2018/11/08/schneider-electric-has-fixed-a-vulnerability-in-sesu-software/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-7801