10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.973 High
EPSS
Percentile
99.9%
CVSS v3 10.0
ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.
Vendor: Schneider Electric
**Equipment:**U.motion Builder
--------- Begin Update A Part 1 of 5 --------
--------- End Update A Part 1 of 5 ----------
This updated advisory is a follow-up to the original advisory titled ICSA-17-180-02 Schneider Electric U.motion Builder that was published June 29, 2017, on the NCCIC/ICS-CERT website.
A successful exploit of these vulnerabilities could allow an attacker to execute arbitrary commands or compromise the confidentiality, integrity, and availability of the system.
The following U.motion Builder Software versions are affected:
Unauthenticated users can use calls to various paths in order to perform arbitrary SQL statements against the underlying database.
CVE-2017-7973 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
--------- Begin Update A Part 2 of 5 --------
The vulnerability exists within processing of track_import_export.php. The underlying SQLite database query is subject to SQL injection on the object_id input parameter.
CVE-2018-7765 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability exists within processing of track_getdata.php. The underlying SQLite database query is subject to SQL injection on the id input parameter.
CVE-2018-7766 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
The vulnerability exists within processing of editobject.php. The underlying SQLite database query is subject to SQL injection on the type input parameter.
CVE-2018-7767 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
The vulnerability exists within processing of loadtemplate.php. The underlying SQLite database query is subject to SQL injection on the tpl input parameter.
CVE-2018-7768 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
The vulnerability exists within processing of xmlserver.php. The underlying SQLite database query is subject to SQL injection on the id input parameter.
CVE-2018-7769 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
The vulnerability exists within processing of applets that are exposed on the web service. The underlying SQLite database query to determine whether a user is logged in is subject to SQL injection on the loginSeed parameter, which can be embedded in the HTTP cookie of the request.
CVE-2018-7772 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
The vulnerability exists within processing of nfcserver.php. The underlying SQLite database query is subject to SQL injection on the sessionid input parameter.
CVE-2018-7773 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
The vulnerability exists within processing of localize.php. The underlying SQLite database query is subject to SQL injection on the username input parameter.
CVE-2018-7774 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
--------- End Update A Part 2 of 5 ----------
Unauthenticated users can execute arbitrary code and exfiltrate files.
CVE-2017-7974 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
--------- Begin Update A Part 3 of 5 --------
The vulnerability exists within css.inc.php. The ‘css’ parameter contains a directory traversal vulnerability.
CVE-2018-7763 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).
The vulnerability exists within runscript.php applet. There is a directory traversal vulnerability in the processing of the ‘s’ parameter of the applet.
CVE-2018-7764 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).
The vulnerability exists within processing of sendmail.php. The applet allows callers to select arbitrary files to send to an arbitrary email address.
CVE-2018-7770 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).
The vulnerability exists within processing of editscript.php. A directory traversal vulnerability allows a caller with standard user privileges to write arbitrary php files anywhere in the web service directory tree.
CVE-2018-7771 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L).
--------- End Update A Part 3 of 5 ----------
The system includes a hard-coded valid session. If an attacker uses that session ID as part of the HTTP cookie of a web request, then authentication is bypassed.
CVE-2017-9956 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The system comes with a system web access account hard-coded.
CVE-2017-9957 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Improper handling of the system configuration can allow an attacker to execute arbitrary code under the context of root.
CVE-2017-9958 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
The system accepts reboot in session from unauthenticated user causing a denial of service.
CVE-2017-9959 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The system returns more information than should be passed to an unauthenticated caller who might be an attacker.
CVE-2017-9960 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
--------- Begin Update A Part 4 of 5 --------
The vulnerability exists within externalframe.php. Exception information is returned to the attacker that contains sensitive path information.
CVE-2018-7776 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).
The vulnerability is due to insufficient handling of update_file request parameter on update_module.php. A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server.
CVE-2018-7777 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Samba since Version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
CVE-2017-7494 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
--------- End Update A Part 4 of 5 ----------
rgod working with Trend Micro’s Zero Day Initiative, Constantin-Cosmin CRACIUN, and Schneider Electric identified these vulnerabilities.
Schneider Electric’s security notice SEVD-2017-178-01 is available at the following location:
<http://www.schneider-electric.com/en/download/document/SEVD-2017-178-01/>
--------- Begin Update A Part 5 of 5 --------
Firmware update Version 1.3.4, which includes fixes for most of these vulnerabilities, has been released. It is highly recommended that U.motion Builder users apply the patch in a timely manner.
The firmware is available for download at:
<https://www.schneider-electric.com/en/download/document/SE_UMOTION_BUILDER/>
U.motion server firmware update Version 1.3.4 is available for download at:
<https://www.schneider-electric.com/en/download/document/Umotion_Server_update/>
--------- End Update A Part 5 of 5 ----------
NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
www.schneider-electric.com/en/download/document/SEVD-2017-178-01/
cwe.mitre.org/data/definitions/20.html
cwe.mitre.org/data/definitions/209.html
cwe.mitre.org/data/definitions/209.html
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/259.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/287.html
cwe.mitre.org/data/definitions/730.html
cwe.mitre.org/data/definitions/89.html
cwe.mitre.org/data/definitions/89.html
cwe.mitre.org/data/definitions/89.html
cwe.mitre.org/data/definitions/89.html
cwe.mitre.org/data/definitions/89.html
cwe.mitre.org/data/definitions/89.html
cwe.mitre.org/data/definitions/89.html
cwe.mitre.org/data/definitions/89.html
cwe.mitre.org/data/definitions/89.html
cwe.mitre.org/data/definitions/94.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Schneider%20Electric%20U.motion%20Builder%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-17-180-02
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7494
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7973
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7974
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9956
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9957
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9958
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9959
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9960
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7763
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7764
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7765
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7766
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7767
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7768
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7769
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7770
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7771
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7772
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7773
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7774
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7776
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7777
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-17-180-02&title=Schneider%20Electric%20U.motion%20Builder%20%28Update%20A%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-17-180-02
www.oig.dhs.gov/
www.schneider-electric.com/en/download/document/SE_UMOTION_BUILDER/
www.schneider-electric.com/en/download/document/Umotion_Server_update/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-17-180-02
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Schneider%20Electric%20U.motion%20Builder%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-17-180-02
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.973 High
EPSS
Percentile
99.9%