CVE-2022-41668: Exploring the CWE-704 Vulnerability in EcoStruxure Operator Terminal Expert and Pro-face BLUE

CVE-2022-41668 is a recently discovered vulnerability, classified as CWE-704 (Incorrect Project Conversion), present in Schneider Electric's EcoStruxure Operator Terminal Expert (V3.3 Hotfix 1 or prior) and Pro-face BLUE (V3.3 Hotfix 1 or prior) products. In this article, we will explore the vulnerability, provide details on how it can be exploited, and offer some recommendations for mitigating its impact.

Background on CVE-2022-41668 and CWE-704

CWE-704 refers to a weakness where the software incorrectly converts or imports a project file, making it vulnerable to adversary-controlled malicious code execution. In the case of CVE-2022-41668, an attacker with local user privileges can exploit this vulnerability by loading a project file from an adversary-controlled network share to execute malicious code.

Affected products include

1. EcoStruxure Operator Terminal Expert (V3.3 Hotfix 1 or prior): A versatile software suite designed for the configuration and commissioning of Schneider Electric's Magelis operator terminals.

Link: https://www.se.com/ww/en/product-range/63414-ecostruxure%E2%84%A2-operator-terminal-expert/

2. Pro-face BLUE (V3.3 Hotfix1 or prior): An integrated platform for the creation, deployment, and management of industrial HMIs and control applications.

Link: https://www.profaceamerica.com/en-US/content/blue-open

Exploit Details

An attacker can exploit this vulnerability by creating a malicious project file and hosting it on a network share. When a local user loads this project file into the vulnerable application, the software incorrectly parses the project, enabling the attacker to execute malicious code.

A simple proof-of-concept (PoC) to demonstrate this vulnerability could be generated using a template project file:

Create a new project in EcoStruxure Operator Terminal Expert or Pro-face BLUE.

2. Embed a malicious payload in the project by altering its resources or scripts (such as adding extra JavaScript code to be executed when the project is loaded).

Here's a small snippet of code that mimics a malicious payload

// This is a simple PoC, actual payloads could be far more dangerous.
alert('You have loaded a malicious project file. Your system is vulnerable to CVE-2022-41668.');

Entice the local user to open the malicious project file from the attacker-controlled network share.

Upon opening the project file, the malicious code will be executed, confirming that the software is vulnerable to CVE-2022-41668.

Mitigation Steps

To mitigate the impact of this vulnerability, Schneider Electric recommends updating to the latest version of the affected software:

EcoStruxure Operator Terminal Expert: Update to V3.3 Hotfix2.

Link: https://www.se.com/ww/en/download/document/EcoStruxure_Operator_Terminal_Expert_V3.3_Hotfix2/

Pro-face BLUE: Update to V3.3 Hotfix2.

Link: (Check with the vendor or use the software update option within the application)

Conclusion

CVE-2022-41668 highlights the importance of proper project conversion handling and secure coding practices. Users of the affected EcoStruxure Operator Terminal Expert and Pro-face BLUE software should take the necessary steps to update their systems to mitigate the risk associated with this vulnerability. By raising awareness and ensuring that software is up-to-date, users can better protect their devices and applications from potential exploitation by adversaries.

Timeline

Published on: 11/04/2022 12:15:00 UTC
Last modified on: 11/05/2022 02:02:00 UTC