Pro-face Versatile Software BLUE

May 2020

Overview

Schneider Electric is aware of multiple vulnerabilities in the BLUE.

Affected Product(s)

BLUE 3.1 Service Pack 1 and prior

Vulnerability Details

CVE ID: CVE-2020-7493
CVSS v3.0 Base Score 7.7 | High | CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists which could cause malicious code execution when opening the project file.

CVE ID: CVE-2020-7494
CVSS v3.0 Base Score 7.7 | High | CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists which could cause malicious code execution when opening the project file.

CVE ID: CVE-2020-7495
CVSS v3.0 Base Score 3.3 | Low | CVSS:3.0/ AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability during zip file extraction exists which could cause unauthorized write access outside of expected path folder when opening the project file.

CVE ID: CVE-2020-7496
CVSS v3.0 Base Score 3.3 | Low | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

A CWE-88: Argument Injection or Modification vulnerability exists which could cause unauthorized write access when opening the project file.

CVE ID: CVE-2020-7497
CVSS v3.0 Base Score 6.3 | Medium | CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists which could cause arbitrary application execution when the computer starts.

Remediation

For CVE-2020-7493, CVE-2020-7494, CVE-2020-7495 and CVE-2020-7496
These vulnerabilities are fixed in the BLUE version 3.1 Service Pack 1A available for download below:
https://www.proface.com/en/service#/blue
The fix is also available through Schneider Electric Software Update (SESU).

For CVE-2020-7497:
The following workarounds and mitigations can be applied by customers to reduce the risk:

  • Use BLUE software only on a trusted workstation.
  • Do not execute BLUE software with Windows administrator privileges.
  • Harden your workstation following the best cybersecurity practices (antivirus, updated operating systems, strong password policies, Application White Listing software, etc.) and secure your network using the following guideline: https://www.se.com/us/en/download/document/CS-Best-Practices-2019-340/
  • Manage your project file securely to avoid information disclosure or unexpected modifications of data.
  • Only accept project files from trusted users.
  • Use project password when saving the project file.
  • User’s password in the Application should be configured as strong password with the “use complex password” function described in the section “Security / Settings / use complex password”.

Schneider Electric is aware of additional weaknesses in the BLUE product and strongly recommends users to apply the previous mitigations in addition to the General Security Recommendations listed in a later section.

Product Information

The BLUE configuration software enables you to create and edit application Pro-face HMIs.

Product Category - All Categories Learn more about Schneider Electric’s product categories here: https://www.se.com/us/en/all-products

How to determine if you are affected Users of BLUE version prior to V3.1SP1A and all versions of BLUE. Customer can access the version of their software in the About menu.

Acknowledgements

Schneider Electric recognizes the following researcher(s) for identifying and helping to coordinate a response to this vulnerability:

CVE Researcher(s) Name
CVE-2020-7493 Steven Seeley and Chris Anastasio of Incite Team working with TrendMicro’s Zero Day Initiative
CVE-2020-7494, CVE-2020- 7496 Sharon Brizinov, Amir Preminger of Claroty Research working with TrendMicro’s Zero Day Initiative
CVE-2020-7495 Sharon Brizinov, Amir Preminger of Claroty Research working with TrendMicro’s Zero Day Initiative Fredrik Østrem (Cognite), Emil Sandstø (Cognite), and Cim Stordal (Cognite)
CVE-2020-7497 Fredrik Østrem (Cognite), Emil Sandstø (Cognite), and Cim Stordal (Cognite)

General Security Recommendations

We strongly recommend following industry cybersecurity best practices such as:
  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the “Program” mode.
  • Never connect programming software to any network other than the network for the devices that it is intended for.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow laptops that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems, and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information

This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, please contact your local Schneider Electric representative and/or Schneider Electric Industrial Cybersecurity Services. These organizations will be fully aware of this situation and can support you through the process.

https://www.se.com/us/en/all-products

Legal Disclaimer
THIS DOCUMENT IS INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE USE OF THIS NOTIFICATION, INFORMATION CONTAINED HEREIN, OR MATERIALS LINKED TO IT ARE AT YOUR OWN RISK. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION.

About Schneider Electric

At Schneider, we believe access to energy and digital is a basic human right. We empower all to make the most of their energy and resources, ensuring Life Is On everywhere, for everyone, at every moment.

We provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.

We are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate about our Meaningful Purpose, Inclusive and Empowered values.

www.se.com