A vulnerability classified as critical was found in Schneider Electric EcoStruxure Operator Terminal Expert and EcoStruxure Pro-face BLUE up to 3.3 Hotfix 1 (SCADA Software). Affected by this vulnerability is some unknown functionality of the component SGIUtility. The manipulation with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).

The weakness was disclosed 11/04/2022 as SEVD-2022-284-01. The advisory is shared at se.com. This vulnerability is known as CVE-2022-41670 since 09/27/2022. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1006 for this issue.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Type

• SCADA Software

Vendor

• Schneider Electric

Name

• EcoStruxure Operator Terminal Expert
• EcoStruxure Pro-face BLUE

Version

• 3.3 Hotfix 1

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion