Schneider Electric released new firmware to mitigate command injection, cross-site scripting, and improper input validation vulnerabilities in its U.motion Builder, according to a report with NCCIC.
Successful exploitation of these remotely exploitable vulnerabilities, discovered by Wei Gao of Ixia and bigric3@360A-TEAM, could allow for remote code execution.
U.motion Builder versions prior to 1.3.4 suffer from the issue.
In one vulnerability, an input string may be evaluated as a command by the application. An attacker could exploit this to execute code, read the stack, or cause a segmentation fault in the running application.
CVE-2018-7784 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.
In addition, there is a remote command injection that could allow for an authentication bypass.
CVE-2018-7785 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.
Also, there is a cross-site scripting (XSS) vulnerability, which could allow injection of malicious scripts.
CVE-2018-7786 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1
Another vulnerability is due to improper validation of input of context parameter in HTTP GET request, which could allow the disclosure of sensitive information.
CVE-2018-7787 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees use mainly in the commercial facilities, critical manufacturing, and energy sectors.
It also sees action mainly in the United States, Europe, and Asia.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Schneider Electric released firmware update Version 1.3.4, which includes fixes for these vulnerabilities. It is highly recommended that U.motion Builder users apply the patch in a timely manner.
Click here to download the firmware.
Click here to view Schneider Electric’s security notice SEVD-2018-151-01.