CVE-2020-28209
📋 TL;DR
This vulnerability allows local Windows users with write permissions on subfolders of the Connect Agent service binary path to escalate privileges to the level of the user who started the service. It affects EcoStruxure Building Operation Enterprise Server (V1.9-V3.1) and Enterprise Central (V2.0-V3.1) when installed in non-secure locations. By default, installations require Administrator privileges, limiting exposure to non-standard configurations.
💻 Affected Systems
- EcoStruxure Building Operation Enterprise Server
- EcoStruxure Building Operation Enterprise Central
📦 What is this software?
Enterprise Server Installer by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to SYSTEM or Administrator level, enabling complete system compromise, lateral movement, and persistence establishment.
Likely Case
Local user gains elevated privileges (often service account level), allowing unauthorized access to sensitive building management data and systems.
If Mitigated
Minimal impact if installed in default secure locations with proper permissions, as attackers would need both local access and write permissions to specific folders.
🎯 Exploit Status
Exploitation requires local access and write permissions to at least one subfolder in the service binary path. This is a classic unquoted service path vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Enterprise Server V3.1 Service Pack 1 or later; Enterprise Central V3.1 Service Pack 1 or later
Vendor Advisory: https://www.se.com/ww/en/download/document/SEVD-2020-315-04/
Restart Required: Yes
Instructions:
1. Download the latest Service Pack from Schneider Electric's website. 2. Apply the Service Pack to affected systems. 3. Restart the system to ensure changes take effect.
🔧 Temporary Workarounds
Secure Installation Path
windowsReinstall the application in a secure location where only authorized users have write permissions.
Uninstall current installation
Reinstall to a path like C:\Program Files\ with proper permissions
Set Proper Folder Permissions
windowsEnsure only SYSTEM and Administrators have write permissions to the installation directory and all subfolders.
icacls "C:\Path\To\Installation" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Ensure installations are in default secure locations (requiring Administrator privileges) and audit all installations for compliance.
- Implement strict access controls and monitor for unauthorized write attempts to installation directories.
🔍 How to Verify
Check if Vulnerable:
Check if the application is installed in a location where non-administrator users have write permissions to subfolders of the service binary path. Review service configuration for unquoted paths.Check Version:
Check application version through Control Panel > Programs and Features or the application's about dialog.Verify Fix Applied:
Verify that the installed version is Enterprise Server V3.1 SP1+ or Enterprise Central V3.1 SP1+. Check that service paths are quoted in Windows Services.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unauthorized file creation in installation directories
- Service control manager events showing service path modifications
Network Indicators:
- Unusual outbound connections from service accounts
- Lateral movement attempts from previously low-privilege accounts
SIEM Query:
EventID=4688 AND (NewProcessName contains *\install_path\* OR CommandLine contains unquoted path to vulnerable service)