CVE-2020-7556

Vulnerability

CVE-2020-7556 is an out-of-bounds write vulnerability (CWE-787) in the IGSS Definition component (Def.exe) of Schneider Electric's IGSS product, specifically version 14.0.0.20247. The vulnerability exists during the parsing of specially crafted CGF (Configuration Group File) files. The code does not properly validate user-supplied data, leading to a write past the end of an allocated data structure [1].

Exploitation

Exploitation requires user interaction: the target must open a malicious CGF file, either by visiting a malicious page or directly opening the file. An attacker can deliver the file through social engineering or other means. No authentication is needed, and the vulnerability can be triggered locally [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process. This could lead to full compromise of the affected system, including unauthorized access to sensitive data, modification or destruction of data, or disruption of service. The CVSS score is 7.8 (High) with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [1].

Mitigation

As of the initial disclosure in November 2020, no patch was available. The advisory from Schneider Electric likely contained a fix; many sources point to upgrading to a patched version of IGSS. Users should contact Schneider Electric support for the latest update and apply it as soon as possible. Until a patch is applied, avoid opening untrusted CGF files from unknown sources [1].