CVE-2020-7498 - OpenCVE

A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Unity Loader Os Loader

Configuration 1 [-]

OR	cpe:2.3:a:schneider-electric:os_loader::::::::
	cpe:2.3:a:schneider-electric:unity_loader::::::::

References

Link	Resource
https://www.se.com/ww/en/download/document/SEVD-2020-161-02	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2020-06-16T19:15:24

Updated: 2020-06-16T19:15:24

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7498

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-06-16T20:15:14.690

Modified: 2022-01-31T19:43:33.530

Link: CVE-2020-7498

JSON object: View

Redhat Information

No data.

CWE

CWE-798

{"containers": {"cna": {"affected": [{"product": "Unity Loader and OS Loader Software (All versions)", "vendor": "n/a", "versions": [{"status": "affected", "version": "Unity Loader and OS Loader Software (All versions)"}]}], "descriptions": [{"lang": "en", "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798: Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-16T19:15:24", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2020-7498", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Unity Loader and OS Loader Software (All versions)", "version": {"version_data": [{"version_value": "Unity Loader and OS Loader Software (All versions)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798: Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.se.com/ww/en/download/document/SEVD-2020-161-02", "refsource": "MISC", "url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-02"}]}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2020-7498", "datePublished": "2020-06-16T19:15:24", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2020-06-16T19:15:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:os_loader:*:*:*:*:*:*:*:*", "matchCriteriaId": "383FE9FE-75C1-4BEF-B16D-3316662883E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:unity_loader:*:*:*:*:*:*:*:*", "matchCriteriaId": "0182018C-6154-44CF-AB88-D3C9306AC939", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results."}, {"lang": "es", "value": "Una CWE-798: Se presenta una vulnerabilidad de Uso de Credenciales Embebidas en Unity Loader and OS Loader Software (todas las versiones). Las credenciales fijas son usadas para simplificar la transferencia de archivo. Hoy en d\u00eda, el uso de credenciales fijas es considerada una vulnerabilidad, lo que podr\u00eda causar acceso no autorizado al servicio de transferencia de archivos proporcionado por los PLC Modicon. Esto podr\u00eda conllevar a varios resultados no deseados"}], "id": "CVE-2020-7498", "lastModified": "2022-01-31T19:43:33.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-16T20:15:14.690", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-02"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}