Schneider Electric has patched last week four flaws affecting the U.motion Builder software, including two critical command execution vulnerabilities.
Schneider Electric U.motion Builder is a tool designed for creating projects for U.motion devices that are used in critical manufacturing, energy, and commercial facilities industries.
“This exploit occurs when the submitted data of an input string is evaluated as a command by the application,” reads the advisory published by Schneider. “In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application.”
The critical stack-based buffer overflow vulnerability tracked as CVE-2018-7784, it received the CVSS Score of 10.
The flaw was reported by the Chinese researcher who uses the online moniker “bigric3” that also reported a critical remote command injection vulnerability, tracked as CVE-2018-7785, that can lead to authentication bypass.
The CVE-2018-7785 Remote Command Injection flaw also has been assigned CVSS scores of 10.
Both flaws can be exploited easily exploited by a remote attacker without specific skills.
Bigric3 has also reported a medium severity cross-site scripting (XSS) vulnerability, tracked as CVE-2018-7786, in the U.motion Builder application.
The last issue addressed by Schneider with the release of version 1.3.4 is an improper validation of input of context parameter in an HTTP GET request. The flaw, tracked as CVE-2018-7787, was reported by the CVE-2018-7787 Wei Gao of Ixia.
This issue has been classified as having medium severity.
The ICS-CERT and the U.S. National Cybersecurity & Communications Integration Center (NCCIC) have published a security advisory that also includes mitigations to minimize the risk of exploitation of this vulnerability.
According to the NCCIC, users should:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Perform proper impact analysis and risk assessment prior to deploying defensive measures.
(Security Affairs – Schneider Electric U.motion Builder, RCE)