QID 590719

Customers are advised to refer to advisory SEVD-2020-315-07 for affected packages and patching details. Workaround:
Customers should immediately apply the following mitigations to reduce the risk of exploit of the CVE-2020-7538, CVE-2020-28211, CVE-2020-28212, CVE-2020-28213 V15.0 of the EcoStruxure Control Expert software includes a mitigation for these vulnerabilities, when applied with the steps outlined below, and is available for download click here EcoStruxure Process Expert 2020 R2 software, includes a mitigation, when applied with the steps outlined below, for these vulnerabilities and is available for download on the EcoStruxure Process Expert Support Portal (registration is needed): click here After downloading the updated software listed above, the following steps are required to mitigate the vulnerability: 1.Harden the Engineering Workstation running PLC Simulator Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices guide available for download here. 2.On V15.0 of the EcoStruxure Control Expert and EcoStruxure Process Expert 2020 R2 software, in the option dialog box of the PLC simulator, customers are requested to set the Listening IP Address to: a.127.0.0.1 (localhost), which will prevent remote network connections to the PLC simulator; or b.When deployed as a remote access system the IP Address should be configured to be the same as the system that will be running the PLC simulator. Note: Customers are informed that on EcoStruxure Control Expert v15.0 and EcoStruxure Process Expert 2020 R2 software and prior, the default listening IP address is: 0.0.0.0. The default setting exposes the PLC simulator to the vulnerabilities described in this bulletin. The default listening IP address is configurable from v15.0 and 2020 R2 and above. Customers should use appropriate patching methodologies when applying these patches to their systems. We strongly recommend the use of back-ups and evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure. Contact Schneider Electric Customer Care Center if you need assistance removing a patch. If customers choose not to apply the mitigations provided above or in case of older versions of EcoStruxure Control Expert software, they should immediately apply the following mitigations to reduce the risk of exploit: 1.Setup network segmentation and implement a firewall to block all unauthorized access to port 502/TCP 2.Harden the Engineering Workstation running PLC Simulator for EcoStruxure Control Expert and EcoStruxure Process Expert