Vulnerability Details CVE-2013-0655
The client in Schneider Electric Software Update (SESU) Utility 1.0.x and 1.1.x does not ensure that updates have a valid origin, which allows man-in-the-middle attackers to spoof updates, and consequently execute arbitrary code, by modifying the data stream on TCP port 80.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.016
EPSS Ranking 80.9%
CVSS Severity
CVSS v2 Score 9.3
References
- http://www.schneider-electric.com/download/ww/en/details/29960967-SE-Software-Update-Utility-Vulnerability-Disclosure/?reference=SEVD-2013-009-01
- http://www.us-cert.gov/control_systems/pdf/ICSA-13-016-01.pdf
- http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2013/01/20130109_advisory_of_vulnerability_affecting_schneider_electric_s_software_upda.xml
- http://www.schneider-electric.com/download/ww/en/details/29960967-SE-Software-Update-Utility-Vulnerability-Disclosure/?reference=SEVD-2013-009-01
- http://www.us-cert.gov/control_systems/pdf/ICSA-13-016-01.pdf
- http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2013/01/20130109_advisory_of_vulnerability_affecting_schneider_electric_s_software_upda.xml
Products affected by CVE-2013-0655
-
cpe:2.3:a:schneider-electric:software_update_utility:1.0
-
cpe:2.3:a:schneider-electric:software_update_utility:1.0.13
-
cpe:2.3:a:schneider-electric:software_update_utility:1.1