SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-625983383] Schneider Electric U.motion Builder

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-06-29OtherSchneider Electricrgod working with Trend Micro’s Zero Day Initiative identified these vulnerabilities. N/ACVE-2017-7973 CVE-2017-7974 CVE-2017-9956 CVE-2017-9957 CVE-2017N/AN/AN/A

Source

						
							
								
#
# Schneider Electric U.motion Builder
#


### VULNERABLE VENDOR
Schneider Electric


### VULNERABLE PRODUCT
U.motion Builder



### RESEARCHER
rgod working with Trend Micro's Zero Day Initiative identified these vulnerabilities.



### AFFECTED PRODUCTS

The following U.motion Builder Software versions are affected:

U.motion Builder Versions 1.2.1 and prior.



### IMPACT

A successful exploit of these vulnerabilities could allow an attacker to execute arbitrary commands or compromise the confidentiality, integrity, and availability of the system.



### VULNERABILITY OVERVIEW

SQL INJECTION CWE-89
Unauthenticated users can use calls to various paths in order to perform arbitrary SQL statements against the underlying database.
CVE-2017-7973 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


PATH TRAVERSAL CWE-22
Unauthenticated users can execute arbitrary code and exfiltrate files.
CVE-2017-7974 has been assigned to this vulnerability.
A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


IMPROPER AUTHENTICATION CWE-287
The system includes a hard-coded valid session.
If an attacker uses that session ID as part of the HTTP cookie of a web request, then authentication is bypassed.
CVE-2017-9956 has been assigned to this vulnerability.
A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)


USE OF HARD-CODED PASSWORD CWE-259
The system comes with a system web access account hard-coded.
CVE-2017-9957 has been assigned to this vulnerability.
A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)


IMPROPER ACCESS CONTROL CWE-284
Improper handling of the system configuration can allow an attacker to execute arbitrary code under the context of root.
CVE-2017-9958 has been assigned to this vulnerability.
A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)


DENIAL OF SERVICE CWE-730
The system accepts reboot in session from unauthenticated user causing a denial of service.
CVE-2017-9959 has been assigned to this vulnerability.
A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


INFORMATION EXPOSURE THROUGH AN ERROR MESSAGE CWE-209
The system returns more information than should be passed to an unauthenticated caller who might be an attacker.
CVE-2017-9960 has been assigned to this vulnerability.
A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)





### BACKGROUND

Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, and Energy
Countries/Areas Deployed: United States, Europe, and Asia
Company Headquarters Location: Paris, France




### MITIGATION

Schneider Electric says a firmware update, which includes fixes for these vulnerabilities, is scheduled for availability to download by the end of August. When available, it is highly recommended that U.motion Builder users apply the patch in a timely manner.

Schneider Electric's security notice SEVD-2017-178-01 is available at the following location:

http://www.schneider-electric.com/en/download/document/SEVD-2017-178-01/