CVE-2020-7498

A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.se.com/ww/en/download/document/SEVD-2020-161-02	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:schneider-electric:os_loader::::::::
	cpe:2.3:a:schneider-electric:unity_loader::::::::

History

31 Jan 2022, 19:43

Type	Values Removed	Values Added
First Time		Schneider-electric Schneider-electric unity Loader Schneider-electric os Loader
CPE	cpe:2.3:a:se:os_loader:::::::: cpe:2.3:a:se:unity_loader::::::::	cpe:2.3:a:schneider-electric:unity_loader:::::::: cpe:2.3:a:schneider-electric:os_loader::::::::

Information

Published : 2020-06-16 20:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-7498

Mitre link : CVE-2020-7498

CVE.ORG link : CVE-2020-7498

JSON object : View

Products Affected

schneider-electric

os_loader
unity_loader

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2020-7498", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-06-16T20:15:14.690", "references": [{"url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-02", "tags": ["Vendor Advisory"], "source": "cybersecurity@se.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Secondary", "source": "cybersecurity@se.com", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results."}, {"lang": "es", "value": "Una CWE-798: Se presenta una vulnerabilidad de Uso de Credenciales Embebidas en Unity Loader and OS Loader Software (todas las versiones). Las credenciales fijas son usadas para simplificar la transferencia de archivo. Hoy en d\u00eda, el uso de credenciales fijas es considerada una vulnerabilidad, lo que podr\u00eda causar acceso no autorizado al servicio de transferencia de archivos proporcionado por los PLC Modicon. Esto podr\u00eda conllevar a varios resultados no deseados"}], "lastModified": "2022-01-31T19:43:33.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:os_loader:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "383FE9FE-75C1-4BEF-B16D-3316662883E2"}, {"criteria": "cpe:2.3:a:schneider-electric:unity_loader:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0182018C-6154-44CF-AB88-D3C9306AC939"}], "operator": "OR"}]}], "sourceIdentifier": "cybersecurity@se.com"}