CVE-2020-28221 Explained : Impact and Mitigation

A CWE-20 vulnerability in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE could lead to arbitrary code execution when the Ethernet Download feature is enabled.

Understanding CVE-2020-28221

This CVE involves an Improper Input Validation vulnerability in specific versions of EcoStruxure™ Operator Terminal Expert and Pro-face BLUE.

What is CVE-2020-28221?

CWE-20: Improper Input Validation vulnerability in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE
Allows arbitrary code execution when Ethernet Download feature is enabled on the HMI

The Impact of CVE-2020-28221

Potential for attackers to execute arbitrary code on affected systems
Risk of unauthorized access and control over the HMI

Technical Details of CVE-2020-28221

This section provides detailed technical information about the vulnerability.

Vulnerability Description

CWE-20: Improper Input Validation vulnerability
Found in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE

Affected Systems and Versions

EcoStruxure™ Operator Terminal Expert 3.1 Service Pack 1A and prior
Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series
Pro-face BLUE 3.1 Service Pack 1A and prior
Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series

Exploitation Mechanism

Attackers exploit the vulnerability by enabling the Ethernet Download feature on the HMI

Mitigation and Prevention

Protect systems from CVE-2020-28221 with the following measures:

Immediate Steps to Take

Disable the Ethernet Download feature on affected HMIs
Implement network segmentation to restrict access

Long-Term Security Practices

Regularly update and patch the affected software
Conduct security assessments and audits to identify vulnerabilities

Patching and Updates

Apply security patches provided by the vendor to fix the vulnerability