CVE-2020-7489

A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert – Basic or SoMachine Basic programming software (versions in security notification). The result of this vulnerability, DLL substitution, could allow the transference of malicious code to the controller.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.se.com/ww/en/download/document/SEVD-2020-105-01	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:schneider-electric:ecostruxure_machine_expert::::::::
	cpe:2.3:a:schneider-electric:somachine_basic::::::::

Configuration 2 (hide)

AND

cpe:2.3:o:schneider-electric:modicon_m100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:modicon_m100:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:schneider-electric:modicon_m200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:modicon_m200:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:schneider-electric:modicon_m221_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:modicon_m221:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-04-22 19:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-7489

Mitre link : CVE-2020-7489

CVE.ORG link : CVE-2020-7489

JSON object : View

Products Affected

schneider-electric

ecostruxure_machine_expert
modicon_m221
modicon_m100
modicon_m221_firmware
modicon_m200
somachine_basic
modicon_m200_firmware
modicon_m100_firmware

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2020-7489", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-04-22T19:15:11.777", "references": [{"url": "https://www.se.com/ww/en/download/document/SEVD-2020-105-01", "tags": ["Patch", "Vendor Advisory"], "source": "cybersecurity@se.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}, {"type": "Secondary", "source": "cybersecurity@se.com", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert \u2013 Basic or SoMachine Basic programming software (versions in security notification). The result of this vulnerability, DLL substitution, could allow the transference of malicious code to the controller."}, {"lang": "es", "value": "A CWE-74: Hay una vulnerabilidad de Neutralizaci\u00f3n Inapropiada de Elementos Especiales en una Salida Utilizada por un Componente Descendente ('Injection') en el software de programaci\u00f3n EcoStruxure Machine Expert \u2013 Basic o SoMachine Basic (versiones en notificaci\u00f3n de seguridad). El resultado de esta vulnerabilidad, la sustituci\u00f3n de la DLL, que podr\u00eda permitir la transferencia de c\u00f3digo malicioso al controlador."}], "lastModified": "2022-01-31T20:49:14.197", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_machine_expert:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E30E4E9A-2FD2-4F8E-B9EE-7771CEB93094"}, {"criteria": "cpe:2.3:a:schneider-electric:somachine_basic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BCEA269-6242-41FD-B141-F72CAFC8F114"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:modicon_m100_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "817B5BC0-1368-4E03-994D-DECDC0B48F0F"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:modicon_m100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3FDBB3F0-20B6-4585-AEA1-F732C83AA791"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:modicon_m200_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "802A6F54-4630-4434-A9DA-FCE7634F7C73"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:modicon_m200:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A184ABF9-9C27-46AB-88DB-78246FC779AF"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:modicon_m221_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97963104-B620-4AE1-BD6C-7BF714497F78"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:modicon_m221:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BB0D83F4-B718-47AB-AFB8-B576CB138AAC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cybersecurity@se.com"}