CVE-2020-7498 - OpenCVE

A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Os Loader Unity Loader

Configuration 1 [-]

OR	cpe:2.3:a:schneider-electric:os_loader::::::::
	cpe:2.3:a:schneider-electric:unity_loader::::::::

No data.

References

Link	Providers
https://www.se.com/ww/en/download/document/SEVD-2020-161-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2020-06-16T19:15:24

Updated: 2024-08-04T09:33:19.631Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7498

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-06-16T20:15:14.690

Modified: 2022-01-31T19:43:33.530

Link: CVE-2020-7498

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Unity Loader and OS Loader Software (All versions)", "vendor": "n/a", "versions": [{"status": "affected", "version": "Unity Loader and OS Loader Software (All versions)"}]}], "descriptions": [{"lang": "en", "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798: Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-16T19:15:24", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2020-7498", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Unity Loader and OS Loader Software (All versions)", "version": {"version_data": [{"version_value": "Unity Loader and OS Loader Software (All versions)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798: Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.se.com/ww/en/download/document/SEVD-2020-161-02", "refsource": "MISC", "url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:33:19.631Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-02"}]}]}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2020-7498", "datePublished": "2020-06-16T19:15:24", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-08-04T09:33:19.631Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:os_loader:*:*:*:*:*:*:*:*", "matchCriteriaId": "383FE9FE-75C1-4BEF-B16D-3316662883E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:unity_loader:*:*:*:*:*:*:*:*", "matchCriteriaId": "0182018C-6154-44CF-AB88-D3C9306AC939", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results."}, {"lang": "es", "value": "Una CWE-798: Se presenta una vulnerabilidad de Uso de Credenciales Embebidas en Unity Loader and OS Loader Software (todas las versiones). Las credenciales fijas son usadas para simplificar la transferencia de archivo. Hoy en d\u00eda, el uso de credenciales fijas es considerada una vulnerabilidad, lo que podr\u00eda causar acceso no autorizado al servicio de transferencia de archivos proporcionado por los PLC Modicon. Esto podr\u00eda conllevar a varios resultados no deseados"}], "id": "CVE-2020-7498", "lastModified": "2022-01-31T19:43:33.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-16T20:15:14.690", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-02"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}