Schneider Fixing U.motion Builder Holes

Thursday, June 29, 2017 @ 04:06 PM gHale


Schneider Electric said a firmware update will be ready by the end of August to mitigate multiple vulnerabilities in its U.motion Builder, according to a report with ICS-CERT.

The remotely exploitable vulnerabilities, discovered by rgod working with Trend Micro’s Zero Day Initiative, include a SQL injection, path traversal, improper authentication, use of hard-coded password, improper access control, denial of service and information disclosure.

RELATED STORIES
Siemens Fixes Intel-based Hole
Siemens Clears Viewport Vulnerability
Siemens Mitigates XHQ Vulnerability
Siemens Clears SIMATIC Hole

U.motion Builder Versions 1.2.1 and prior suffer from the vulnerabilities.

A successful exploit of these vulnerabilities could allow an attacker to execute arbitrary commands or compromise the confidentiality, integrity, and availability of the system.

An attacker with a low skill level would be able to leverage the vulnerabilities and there are currently active exploits occurring in the industry.

With the SQL injection vulnerability, unauthenticated users can use calls to various paths in order to perform arbitrary SQL statements against the underlying database.

CVE-2017-7973 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, with the path traversal issue, unauthenticated users can execute arbitrary code and exfiltrate files.

CVE-2017-7974 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

With the improper authentication hole, the system includes a hard-coded valid session. If an attacker uses that session ID as part of the HTTP cookie of a web request, then authentication ends up bypassed.

CVE-2017-9956 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

Also, the system comes with a system web access account hard-coded.

CVE-2017-9957 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

Additionally, improper handling of the system configuration can allow an attacker to execute arbitrary code under the context of root.

CVE-2017-9958 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

There is also a denial of service issue where the system accepts reboot in session from unauthenticated user causing a denial of service.

CVE-2017-9959 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

In addition, the system returns more information than should be passed to an unauthenticated caller who might be an attacker.

CVE-2017-9960 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The product sees use mainly in the commercial facilities, critical manufacturing, and energy sectors. It also sees action in the United States, Europe, and Asia.

Paris, France-based Schneider Electric said a firmware update, which includes fixes for these vulnerabilities, should be ready to download by the end of August. When available, the company said U.motion Builder users should apply the patch in a timely manner.

Click here for Schneider Electric’s security notice SEVD-2017-178-01.



Leave a Reply

You must be logged in to post a comment.