Overview :
A Heap-based Buffer Overflow was found in Emerson OpenEnterprise SCADA Server 2.83 (if Modbus or ROC Interfaces have been installed and are in use) and all versions of OpenEnterprise 3.1 through 3.3.3, where a specially crafted script could execute code on the OpenEnterprise Server.
Affected Product(s) :
  • OpenEnterprise Server 2.83 is affected if Modbus or ROC Interfaces have been installed and are in use
  • OpenEnterprise 3.1 through 3.3.3, all versions
Vulnerability Details :
CVE ID : CVE-2020-6970
A specially crafted script could execute code on the OpenEnterprise Server.

CVE-2020-6970 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Solution :

Emerson recommends all users upgrade to OpenEnterprise 3.3, Service Pack 4 (3.3.4), to resolve this issue. OpenEnterprise Service Packs are available to users with access to the Emerson SupportNet system (login required). Details will be found in the downloads area.