CVE-2020-7572
📋 TL;DR
This XXE vulnerability in EcoStruxure Building Operation WebReports allows authenticated remote attackers to inject malicious XML entities, potentially leading to data disclosure, denial of service, or server-side request forgery. It affects versions 1.9 through 3.1 of the software. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- EcoStruxure Building Operation WebReports
📦 What is this software?
Webreports by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including sensitive data exfiltration, server-side request forgery to internal systems, and denial of service rendering the system unusable.
Likely Case
Unauthorized access to sensitive configuration files, internal network reconnaissance via SSRF, and potential data leakage from the server.
If Mitigated
Limited impact with proper network segmentation, XML parser hardening, and authentication controls in place.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of XML injection techniques. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.2 and later
Vendor Advisory: https://www.se.com/ww/en/download/document/SEVD-2020-315-04/
Restart Required: Yes
Instructions:
1. Download the updated version from Schneider Electric's official portal. 2. Backup current configuration and data. 3. Install the update following vendor documentation. 4. Restart the WebReports service. 5. Verify functionality post-update.
🔧 Temporary Workarounds
Disable External Entity Processing
allConfigure the XML parser to disable external entity resolution and DTD processing
Modify XML parser configuration to set features: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true
Network Segmentation
allIsolate WebReports server from sensitive internal networks and internet
Configure firewall rules to restrict outbound connections from WebReports server
🧯 If You Can't Patch
- Implement strict authentication controls and monitor for suspicious XML uploads
- Deploy WAF with XXE protection rules and input validation for XML content
🔍 How to Verify
Check if Vulnerable:
Check WebReports version in administration interface or via installed programs list. Versions 1.9-3.1 are vulnerable.Check Version:
Check via WebReports web interface at /admin or examine installed programs in Windows Control PanelVerify Fix Applied:
Verify version is 3.2 or later in administration interface and test XML upload functionality with XXE payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual XML file uploads
- Failed authentication attempts followed by XML requests
- Outbound connections from WebReports to unexpected internal systems
Network Indicators:
- HTTP POST requests with XML content containing external entity references
- Unusual outbound connections from WebReports server
SIEM Query:
source="webreports" AND (message="*xml*" OR message="*entity*" OR message="*DOCTYPE*")