SEVD-2020-315-02
Schneider Electric is aware of a vulnerability in its EcoStruxure™ Operator Terminal Expert (formerly known as Vijeo XD), Pro-face BLUE and WinGP runtimes. This vulnerability impacts Windows PC and Harmony iPC offers. The EcoStruxure™ Operator Terminal Expert and Pro-face BLUE products are HMI configuration software supporting gestures and UI designs. WinGP is a runtime engine on Windows PC and is included in Pro-face GP-Pro EX product which is an HMI Screen Editor & Logic Programming Software for Pro-face. Failure to apply the remediations provided below may risk unauthorized command execution by a local user of the Windows engineering workstation, which could result in loss of availability, confidentiality and integrity of the workstation where EcoStruxure™ Operator Terminal Expert , Pro-face BLUE or WinGP runtime is installed. January 2021 update: Added Pro-face BLUE and WinGP to the list of products affected and links to the fixes
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Schneider Electric EcoStruxure™ Operator Terminal Expert V3.1 Service Pack 1B | ||
| Schneider Electric WinGP installed on Pro-face PS4000 & PS5000 series and SP-5B40, SP5B41 using legacy BIOS V4.09.120 and prior | ||
| Schneider Electric Pro-face BLUE Runtime installed on Pro-face iPC (SP-5B10) using legacy BIOS 3.1 Service Pack 1A and prior | ||
| Schneider Electric WinGP V4.09.200 | ||
| Schneider Electric EcoStruxure™ Operator Terminal Expert Runtime installed on Harmony iPC(HMIG3U) using legacy BIOS 3.1 Service Pack 1A and prior | ||
| Schneider Electric Pro-face BLUE Runtime installed on Windows PC using legacy BIOS 3.1 Service Pack 1A and prior | ||
| Schneider Electric WinGP installed on Windows PC using legacy BIOS V4.09.120 and prior | ||
| Schneider Electric Pro-face BLUE V3.1 Service Pack 1B | ||
| Schneider Electric EcoStruxure™ Operator Terminal Expert Runtime installed on Windows PC using legacy BIOS 3.1 Service Pack 1A and prior |
Exploit Intelligence
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-315-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2020-315-02_EcoStruxure%E2%84%A2%20Operator%20Terminal%20Expert_Security_Notification_V2.0.pdf (circl)
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-315-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2020-315-02.json (circl)
- https://www.se.com/us/en/download/document/7EN52-0390/ (circl)
- https://www.se.com/ww/en/product-range-download/62621-ecostruxure%E2%84%A2-operator-terminal-expert/#/software-firmware-tab (circl)
- https://www.proface.com/en/service#/page/installer/blue (circl)
- https://www.proface.com/en/download/trial/gpproex/v40 (circl)
- https://www.se.com/us/en/download/document/CS-Best-Practices-2019-340/ (circl)
Timeline
- Nov 9, 2020 CVE Published
- Jan 11, 2021 CVE Updated
References
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-315-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2020-315-02_EcoStruxure%E2%84%A2%20Operator%20Terminal%20Expert_Security_Notification_V2.0.pdf advisory
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-315-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2020-315-02.json advisory
- https://www.se.com/us/en/download/document/7EN52-0390/ url
- https://www.se.com/ww/en/product-range-download/62621-ecostruxure%E2%84%A2-operator-terminal-expert/#/software-firmware-tab fix
- https://www.proface.com/en/service#/page/installer/blue fix
- https://www.proface.com/en/download/trial/gpproex/v40 fix
- https://www.se.com/us/en/download/document/CS-Best-Practices-2019-340/ fix