Schneider Electric U.motion Builder is a tool designed for creating projects for U.motion devices that are used in critical manufacturing, energy, and commercial facilities industries.
“This exploit occurs when the submitted data of an input string is evaluated as a command by the application,” reads the advisory published by Schneider. “In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application.”
The critical stack-based buffer overflow vulnerability tracked as CVE-2018-7784, it received the CVSS Score of 10.
The flaw was reported by the Chinese researcher who uses the online moniker “bigric3” that also reported a critical remote command injection vulnerability, tracked as CVE-2018-7785, that can lead to authentication bypass.
The CVE-2018-7785 Remote Command Injection flaw also has been assigned CVSS scores of 10.
Both flaws can be exploited easily exploited by a remote attacker without specific skills.
Bigric3 has also reported a medium severity cross-site scripting (XSS) vulnerability, tracked as CVE-2018-7786, in the U.motion Builder application.
The last issue addressed by Schneider with the release of version 1.3.4 is an improper validation of input of context parameter in an HTTP GET request. The flaw, tracked as CVE-2018-7787, was reported by the CVE-2018-7787 Wei Gao of Ixia.
This issue has been classified as having medium severity.
The ICS-CERT and the U.S. National Cybersecurity & Communications Integration Center (NCCIC) have published a security advisory that also includes mitigations to minimize the risk of exploitation of this vulnerability.
According to the NCCIC, users should:
(Security Affairs – Schneider Electric U.motion Builder, RCE)