Six zero-day flaws found in Schneider Electric products allow hackers to take control of smart buildings

EcoStruxure Building Operation (EBO), a product family developed by Schneider Electric has been affected by a number of zero-day vulnerabilities tracked over the past six months. The flaws have already been fixed, so detailed information is already available.

The EcoStruxure Building Operation toolset (formerly known as StruxureWare Building Operation) is designed to monitor, control, and manage smart building support functions such as power, lighting, fire safety, heating, ventilation, and air conditioning.

The flaws were reported by a security team from TIM, Italy’s leading communications market company. Reports from these specialists were sent to developers in a timely manner, so the vulnerabilities were fixed as soon as possible.

Below is a brief description of the reported flaws, in addition to their respective CVE tracking keys and the score assigned according to the Common Vulnerability Scoring System (CVSS):

  • CVE-2020-7569: This flaw disables restrictions on downloading some files, which would allow the execution of malicious code. The flaw received a score of 8.8/10
  • CVE-2020-7572: An incorrect restriction of references to external XML entities would allow sensitive information to be disclosed by injecting XML. The flaw received a score of 8.8/10
  • CVE-2020-28209: The Windows search path is not enclosed in quotation marks. Under certain conditions, threat actors could perform an escalation of privileges on the target system. This flaw received a score of 7.7/10
  • CVE-2020-7570: An XSS attack could be exploited for HTML injection into a target website. The flaw received a CVSS score of 5.4/10
  • CVE-2020-7571: An XSS flaw would allow malicious code injection into vulnerable systems. Vulnerability received a score of 5.4/10
  • CVE-2020-7573: Improper implementation of access controls would allow threat actors to access the restricted web resources of the target system. The flaw received a CVSS score of 6.5/10

Patches should be installed immediately to fully mitigate the risk of exploitation. For users who cannot install updates immediately, we recommend that you review the following measures:

  • Deny access to the EBO server from untrusted networks
  • Place the EBO system on an isolated network and allow external access only on specific ports and machines
  • Implement a whitelisting system for applications on server machines

More information is available on Schneider Electric’s official platforms.