PT-2020-14752 · Schneider Electric · Command Centre
Published
2020-09-15
·
Updated
2020-09-24
·
CVE-2020-16100
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Command Centre service versions prior to v8.20.1166
Command Centre service versions prior to v8.10.1211
Command Centre service versions prior to v8.00.1228
Command Centre service versions 7.90 and earlier
Description
The issue allows an unauthenticated remote DCOM websocket connection to crash the Command Centre service's DCOM websocket thread due to improper shutdown of closed websocket connections. This prevents the service from accepting future DCOM websocket connections, specifically those from the Configuration Client.
Recommendations
For versions prior to v8.20.1166, update to v8.20.1166 or later.
For versions prior to v8.10.1211, update to v8.10.1211 or later.
For versions prior to v8.00.1228, update to v8.00.1228 or later.
For versions 7.90 and earlier, update to a version later than 7.90.
Fix
Improper Resource Release
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Command Centre