Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1472 Multiple vulnerabilities have been identified in Schneider Electric U.motion Builder 13 June 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Schneider Electric U.motion Builder Publisher: Zero Day Initiative Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Create Arbitrary Files -- Existing Account Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Mitigation Original Bulletin: http://www.zerodayinitiative.com/advisories/ZDI-17-383/ http://www.zerodayinitiative.com/advisories/ZDI-17-384/ http://www.zerodayinitiative.com/advisories/ZDI-17-385/ http://www.zerodayinitiative.com/advisories/ZDI-17-386/ http://www.zerodayinitiative.com/advisories/ZDI-17-387/ http://www.zerodayinitiative.com/advisories/ZDI-17-388/ http://www.zerodayinitiative.com/advisories/ZDI-17-389/ http://www.zerodayinitiative.com/advisories/ZDI-17-390/ http://www.zerodayinitiative.com/advisories/ZDI-17-391/ http://www.zerodayinitiative.com/advisories/ZDI-17-392/ Comment: This bulletin contains ten (10) Zero Day Initiative security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- (0Day) Schneider Electric U.motion Builder xmlserver SQL Injection Remote Code Execution Vulnerability ZDI-17-383: June 12th, 2017 CVSS Score 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) Affected Vendors Schneider Electric Affected Products U.motion Builder TippingPoint(TM) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 24400. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric U.motion Builder. Authentication is not required to exploit this vulnerability. The specific flaw exists within processing of xmlserver.php, which is exposed on the web service with no authentication. The underlying SQLite database query is subject to SQL injection on the id input parameter. A remote attacker can leverage this vulnerability to execute arbitrary commands against the database. Vendor Response Schneider Electric states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16). 03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195." 08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in. 09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer. 10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day. 12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-03-29 - Vulnerability reported to vendor 2017-06-12 - Coordinated public release of advisory Credit This vulnerability was discovered by: rgod - ----------------------------------------------------------------------------- (0Day) Schneider Electric U.motion Builder editobject SQL Injection Remote Code Execution Vulnerability ZDI-17-384: June 12th, 2017 CVSS Score 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) Affected Vendors Schneider Electric Affected Products U.motion Builder Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric U.motion Builder. Authentication is not required to exploit this vulnerability. The specific flaw exists within processing of the editobject.php, which is exposed on the web service with no authentication. The underlying SQLite database query is subject to SQL injection on the type input parameter. A remote attacker can leverage this vulnerability to execute arbitrary commands against the database. Vendor Response Schneider Electric states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16). 03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195." 08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in. 09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer. 10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day. 12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-03-29 - Vulnerability reported to vendor 2017-06-12 - Coordinated public release of advisory Credit This vulnerability was discovered by: rgod - ----------------------------------------------------------------------------- (0Day) Schneider Electric U.motion Builder error Information Disclosure Vulnerability ZDI-17-385: June 12th, 2017 CVSS Score 5, (AV:N/AC:L/Au:N/C:P/I:N/A:N) Affected Vendors Schneider Electric Affected Products U.motion Builder TippingPoint(TM) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 24487. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to acquire system information about vulnerable installations of Schneider Electric U.motion Builder. Authentication is not required to exploit this vulnerability. The specific flaw exists within error.php. System information is returned to the attacker that contains sensitive data. This can be leveraged by an attacker in conjunction with other vulnerabilities to execute arbitrary code on the system. Vendor Response Schneider Electric states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16). 03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195." 08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in. 09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer. 10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day. 12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-04-04 - Vulnerability reported to vendor 2017-06-12 - Coordinated public release of advisory Credit This vulnerability was discovered by: rgod - ----------------------------------------------------------------------------- (0Day) Schneider Electric U.motion Builder Error Message Path Information Disclosure Vulnerability ZDI-17-386: June 12th, 2017 CVSS Score 5, (AV:N/AC:L/Au:N/C:P/I:N/A:N) Affected Vendors Schneider Electric Affected Products U.motion Builder Vulnerability Details This vulnerability allows remote attackers to acquire path information about vulnerable installations of Schneider Electric U.motion Builder. Authentication is not required to exploit this vulnerability. The specific flaw exists within externalframe.php. Exception information is returned to the attacker that contains sensitive path information. This can be leveraged by an attacker in conjunction with other vulnerabilities to execute arbitrary code on the system. Vendor Response Schneider Electric states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16). 03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195." 08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in. 09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer. 10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day. 12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-04-04 - Vulnerability reported to vendor 2017-06-12 - Coordinated public release of advisory Credit This vulnerability was discovered by: rgod - ----------------------------------------------------------------------------- (0Day) Schneider Electric U.motion Builder SOAP Request Remote SQL Command Execution Vulnerability ZDI-17-387: June 12th, 2017 CVSS Score 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) Affected Vendors Schneider Electric Affected Products U.motion Builder Vulnerability Details This vulnerability allows remote attackers to execute arbitrary SQL commands on vulnerable installations of Schneider Electric U.Motion Builder. Authentication is not required to exploit this vulnerability. The specific flaw exists within processing of SOAP requests by the web service. The system allows SOAP requests to perform arbitrary SQL commands. An attacker can leverage this vulnerability to execute arbitrary code in the context of the database. Vendor Response Schneider Electric states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16). 03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195." 08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in. 09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer. 10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day. 12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-04-04 - Vulnerability reported to vendor 2017-06-12 - Coordinated public release of advisory Credit This vulnerability was discovered by: rgod - ----------------------------------------------------------------------------- (0Day) Schneider Electric U.motion Builder file_picker Directory Traversal Arbitrary File Upload Remote Code Execution Vulnerability ZDI-17-388: June 12th, 2017 CVSS Score 6.5, (AV:N/AC:L/Au:S/C:P/I:P/A:P) Affected Vendors Schneider Electric Affected Products U.motion Builder Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric U.Motion Builder. User authentication is required to exploit this vulnerability. The specific flaw exists within file_picker.php. The upload path specified by the user is not constrained, so any logged-in user can upload files to any location in the system that is writable by the web service. An attacker can leverage this to execute code on the system in the context of the web server. Vendor Response Schneider Electric states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16). 03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195." 08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in. 09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer. 10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day. 12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-04-04 - Vulnerability reported to vendor 2017-06-12 - Coordinated public release of advisory Credit This vulnerability was discovered by: rgod - ----------------------------------------------------------------------------- (0Day) Schneider Electric U.motion Builder runscript Directory Traversal Information Disclosure Vulnerability ZDI-17-389: June 12th, 2017 CVSS Score 5, (AV:N/AC:L/Au:N/C:P/I:N/A:N) Affected Vendors Schneider Electric Affected Products U.motion Builder TippingPoint(TM) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 24384. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to exfiltrate arbitrary files on vulnerable installations of Schneider Electric U.motion Builder. Authentication is not required to exploit this vulnerability. The specific flaw exists within runscript.php applet. There is a directory traversal vulnerability in the processing of the 's' parameter of the applet. An attacker can leverage this vulnerability to disclose files from the system. Vendor Response Schneider Electric states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16). 03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195." 08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in. 09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer. 10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day. 12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-04-04 - Vulnerability reported to vendor 2017-06-12 - Coordinated public release of advisory Credit This vulnerability was discovered by: rgod - ----------------------------------------------------------------------------- (0Day) Schneider Electric U.motion Builder css.inc Directory Traversal Information Disclosure Vulnerability ZDI-17-390: June 12th, 2017 CVSS Score 5, (AV:N/AC:L/Au:N/C:P/I:N/A:N) Affected Vendors Schneider Electric Affected Products U.motion Builder TippingPoint(TM) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 24383. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to disclose files on vulnerable installations of Schneider Electric U.motion Builder. Authentication is not required to exploit this vulnerability. The specific flaw exists within css.inc.php. The 'css' parameter contains a directory traversal vulnerability. An attacker can leverage this to disclose files. Vendor Response Schneider Electric states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16). 03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195." 08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in. 09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer. 10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day. 12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-04-04 - Vulnerability reported to vendor 2017-06-12 - Coordinated public release of advisory Credit This vulnerability was discovered by: rgod - ----------------------------------------------------------------------------- (0Day) Schneider Electric U.motion Builder Embedded Session ID Authentication Bypass Vulnerability ZDI-17-391: June 12th, 2017 CVSS Score 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) Affected Vendors Schneider Electric Affected Products U.motion Builder TippingPoint(TM) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 24382. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to bypass authentication on vulnerable installations of Schneider Electric U.motion Builder. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of session management. The application has a hard-coded static session ID. By embedding that session ID in the HTTP cookie, an attacker can bypass authentication and execute functionality on the application. Vendor Response Schneider Electric states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16). 03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195." 08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in. 09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer. 10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day. 12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-04-04 - Vulnerability reported to vendor 2017-06-12 - Coordinated public release of advisory Credit This vulnerability was discovered by: rgod - ----------------------------------------------------------------------------- (0Day) Schneider Electric U.motion Builder Local Privilege Escalation Vulnerability ZDI-17-392: June 12th, 2017 CVSS Score 6.8, (AV:L/AC:L/Au:S/C:C/I:C/A:C) Affected Vendors Schneider Electric Affected Products U.motion Builder Vulnerability Details This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Schneider Electric U.motion Builder. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the system configuration. The web administration account is set up with the ability to sudo without a password. An attacker can leverage this vulnerability to execute arbitrary code under the context of root. Vendor Response Schneider Electric states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16). 03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195." 08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in. 09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer. 10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day. 12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. 06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status. - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-04-04 - Vulnerability reported to vendor 2017-06-12 - Coordinated public release of advisory Credit This vulnerability was discovered by: rgod - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWT82M4x+lLeg9Ub1AQjkRRAAgoeJ4+wxYBNWYvD0xfkTmGgv4UlRJWbF 1DiWeMfpD3BSqcUJNLnJUVtmilb4l33F1BxI7ZpgLrddHDCe8yMyPnXldvKS4WkM ivAhsjZj2NsV+Bk0+jGNPGruyoUSCOtJJlo3MeCqyOtAcuEQ2BeAyRtU3FXb+lfB igE6RW3KhHNcadfSuU/t3HMkufN1YvPmDBk1mJCpRwAlbfA9mvn9PMZhKN06HDew cCJBo5/m/NHOnudOPqv4gNudmxhQ9g3tPJUcESRdbE8WnYCNWSL5U97xvEJdb0xF saeuK0zDfDDPBGQQFMPNNHyLfkY39q7lOyqKuHwOLjXLGS1apxJ5t95V98EP+hfO /eiL44MZNUhozowOHQfG2Lv0CTIJ70wiX8B/rsz4C9mdGAEgHV6d18I9Oyi12kC6 xEOipb9UETcLtRpnjDVpEU9m2cy9805DM8DNS0VT+TPbFNwHt15eH2BRn4FP+UXj uS7470rMwoi3XROrdJ6wJCS/aI4qfH/2guTqyyApPtpSPwZfA33eC6V34QH/UtdH uZgyCmk9o64ZYQPQEAlXB4Z3wV7K4sfR3bgmrmcYal4ujzjJHYQ4C7HmjG316idQ kVKLAYL5w/k1cz08D3neHf7j0smY8EpGCHqNs+LMdCGcKkZ6nQ4TsiqQpnyuOEY1 HueNYvkF9hU= =u8VR -----END PGP SIGNATURE-----