CVE-2020-7572 in EcoStruxure Building Operation WebReports
Summary
by MITRE • 11/20/2020
A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/09/2020
The vulnerability identified as CVE-2020-7572 represents a critical security flaw classified under CWE-611, which specifically addresses improper restriction of XML external entity references. This weakness affects EcoStruxure Building Operation WebReports versions 1.9 through 3.1, creating a significant attack surface for authenticated remote adversaries. The vulnerability stems from inadequate configuration of the XML parser within the web application, allowing malicious actors to exploit the system's handling of external entity references during XML processing operations.
The technical implementation of this vulnerability permits an authenticated user to inject arbitrary XML code into the system's XML parser, which then processes external entity references without proper sanitization or validation. This misconfiguration enables attackers to manipulate the XML parsing behavior, potentially leading to unauthorized data disclosure, service disruption, and server-side request forgery attacks. The XML parser's failure to properly restrict external entity references creates multiple attack vectors that can be leveraged for information gathering and system compromise.
From an operational impact perspective, this vulnerability poses substantial risks to building automation systems that rely on EcoStruxure WebReports for monitoring and control functions. The authenticated nature of the attack means that adversaries must first establish valid credentials, but once inside the system, they can exploit the XML parsing weakness to access sensitive operational data, disrupt building management services, or redirect requests to internal systems. The potential for server-side request forgery particularly threatens network segmentation and internal system integrity, as attackers could use the compromised system to probe internal networks or access restricted resources.
The security implications extend beyond simple data exposure, as this vulnerability can facilitate more sophisticated attacks within the building automation environment. Attackers may leverage the XML external entity processing to perform reconnaissance on internal systems, potentially leading to privilege escalation or lateral movement within the facility's network infrastructure. The vulnerability's presence in multiple versions of the software suggests a systemic configuration issue that requires comprehensive remediation across all affected installations.
Organizations should implement immediate mitigations including disabling external entity processing in XML parsers, implementing proper input validation for all XML data, and enforcing strict access controls for the WebReports application. The solution involves configuring XML parsers to reject external entity references, applying security patches from the vendor, and monitoring for unauthorized access attempts. This vulnerability aligns with ATT&CK technique T1059.007 for XML External Entity Processing and represents a critical concern for industrial control systems where building automation and security integration are paramount. Compliance with security standards such as ISO/IEC 27001 and NIST SP 800-53 requires addressing such configuration weaknesses to maintain adequate protection of critical infrastructure assets.