Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.1472
Multiple vulnerabilities have been identified in Schneider
Electric U.motion Builder
13 June 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Schneider Electric U.motion Builder
Publisher: Zero Day Initiative
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Root Compromise -- Existing Account
Create Arbitrary Files -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Mitigation
Original Bulletin:
http://www.zerodayinitiative.com/advisories/ZDI-17-383/
http://www.zerodayinitiative.com/advisories/ZDI-17-384/
http://www.zerodayinitiative.com/advisories/ZDI-17-385/
http://www.zerodayinitiative.com/advisories/ZDI-17-386/
http://www.zerodayinitiative.com/advisories/ZDI-17-387/
http://www.zerodayinitiative.com/advisories/ZDI-17-388/
http://www.zerodayinitiative.com/advisories/ZDI-17-389/
http://www.zerodayinitiative.com/advisories/ZDI-17-390/
http://www.zerodayinitiative.com/advisories/ZDI-17-391/
http://www.zerodayinitiative.com/advisories/ZDI-17-392/
Comment: This bulletin contains ten (10) Zero Day Initiative security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
(0Day) Schneider Electric U.motion Builder xmlserver SQL Injection Remote
Code Execution Vulnerability
ZDI-17-383: June 12th, 2017
CVSS Score
7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Vendors
Schneider Electric
Affected Products
U.motion Builder
TippingPoint(TM) IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by
Digital Vaccine protection filter ID 24400. For further product information
on the TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary
code on vulnerable installations of Schneider Electric U.motion
Builder. Authentication is not required to exploit this vulnerability.
The specific flaw exists within processing of xmlserver.php, which is
exposed on the web service with no authentication. The underlying SQLite
database query is subject to SQL injection on the id input parameter. A
remote attacker can leverage this vulnerability to execute arbitrary
commands against the database.
Vendor Response
Schneider Electric states:
This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.
03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an
expected 'due date' of 07/27/16).
03/29/2016 - ICS-CERT acknowledged that they received them and "sent them
on to our contacts at Schneider Electric, and will keep you informed of
their progress. We are tracking these issues as ICS-VU-291195."
08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
09/08/2016 - ICS-CERT replied requesting more information on one
vulnerability report, but said of the others, "they have successfully
validated the rest of the vulnerability reports. Unfortunately, they don't
expect to have a patch ready until the end of this year." ICS-CERT suggested
they would work with the vendor to try to bring this in.
09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer.
10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer and stressed potential 0-day.
12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.
Disclosure Timeline
2016-03-29 - Vulnerability reported to vendor
2017-06-12 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
rgod
- -----------------------------------------------------------------------------
(0Day) Schneider Electric U.motion Builder editobject SQL Injection Remote
Code Execution Vulnerability
ZDI-17-384: June 12th, 2017
CVSS Score
7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Vendors
Schneider Electric
Affected Products
U.motion Builder
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary
code on vulnerable installations of Schneider Electric U.motion
Builder. Authentication is not required to exploit this vulnerability.
The specific flaw exists within processing of the editobject.php, which is
exposed on the web service with no authentication. The underlying SQLite
database query is subject to SQL injection on the type input parameter. A
remote attacker can leverage this vulnerability to execute arbitrary
commands against the database.
Vendor Response
Schneider Electric states:
This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.
03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an
expected 'due date' of 07/27/16).
03/29/2016 - ICS-CERT acknowledged that they received them and "sent them
on to our contacts at Schneider Electric, and will keep you informed of
their progress. We are tracking these issues as ICS-VU-291195."
08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
09/08/2016 - ICS-CERT replied requesting more information on one
vulnerability report, but said of the others, "they have successfully
validated the rest of the vulnerability reports. Unfortunately, they don't
expect to have a patch ready until the end of this year." ICS-CERT suggested
they would work with the vendor to try to bring this in.
09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer.
10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer and stressed potential 0-day.
12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.
Disclosure Timeline
2016-03-29 - Vulnerability reported to vendor
2017-06-12 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
rgod
- -----------------------------------------------------------------------------
(0Day) Schneider Electric U.motion Builder error Information Disclosure
Vulnerability
ZDI-17-385: June 12th, 2017
CVSS Score
5, (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Vendors
Schneider Electric
Affected Products
U.motion Builder
TippingPoint(TM) IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by
Digital Vaccine protection filter ID 24487. For further product information
on the TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to acquire system information
about vulnerable installations of Schneider Electric U.motion
Builder. Authentication is not required to exploit this vulnerability.
The specific flaw exists within error.php. System information is returned
to the attacker that contains sensitive data. This can be leveraged by an
attacker in conjunction with other vulnerabilities to execute arbitrary
code on the system.
Vendor Response
Schneider Electric states:
This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.
03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an
expected 'due date' of 07/27/16).
03/29/2016 - ICS-CERT acknowledged that they received them and "sent them
on to our contacts at Schneider Electric, and will keep you informed of
their progress. We are tracking these issues as ICS-VU-291195."
08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
09/08/2016 - ICS-CERT replied requesting more information on one
vulnerability report, but said of the others, "they have successfully
validated the rest of the vulnerability reports. Unfortunately, they don't
expect to have a patch ready until the end of this year." ICS-CERT suggested
they would work with the vendor to try to bring this in.
09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer.
10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer and stressed potential 0-day.
12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.
Disclosure Timeline
2016-04-04 - Vulnerability reported to vendor
2017-06-12 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
rgod
- -----------------------------------------------------------------------------
(0Day) Schneider Electric U.motion Builder Error Message Path Information
Disclosure Vulnerability
ZDI-17-386: June 12th, 2017
CVSS Score
5, (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Vendors
Schneider Electric
Affected Products
U.motion Builder
Vulnerability Details
This vulnerability allows remote attackers to acquire path information
about vulnerable installations of Schneider Electric U.motion
Builder. Authentication is not required to exploit this vulnerability.
The specific flaw exists within externalframe.php. Exception information
is returned to the attacker that contains sensitive path information. This
can be leveraged by an attacker in conjunction with other vulnerabilities
to execute arbitrary code on the system.
Vendor Response
Schneider Electric states:
This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.
03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an
expected 'due date' of 07/27/16).
03/29/2016 - ICS-CERT acknowledged that they received them and "sent them
on to our contacts at Schneider Electric, and will keep you informed of
their progress. We are tracking these issues as ICS-VU-291195."
08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
09/08/2016 - ICS-CERT replied requesting more information on one
vulnerability report, but said of the others, "they have successfully
validated the rest of the vulnerability reports. Unfortunately, they don't
expect to have a patch ready until the end of this year." ICS-CERT suggested
they would work with the vendor to try to bring this in.
09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer.
10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer and stressed potential 0-day.
12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.
Disclosure Timeline
2016-04-04 - Vulnerability reported to vendor
2017-06-12 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
rgod
- -----------------------------------------------------------------------------
(0Day) Schneider Electric U.motion Builder SOAP Request Remote SQL Command
Execution Vulnerability
ZDI-17-387: June 12th, 2017
CVSS Score
7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Vendors
Schneider Electric
Affected Products
U.motion Builder
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary SQL
commands on vulnerable installations of Schneider Electric U.Motion
Builder. Authentication is not required to exploit this vulnerability.
The specific flaw exists within processing of SOAP requests by the
web service. The system allows SOAP requests to perform arbitrary SQL
commands. An attacker can leverage this vulnerability to execute arbitrary
code in the context of the database.
Vendor Response
Schneider Electric states:
This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.
03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an
expected 'due date' of 07/27/16).
03/29/2016 - ICS-CERT acknowledged that they received them and "sent them
on to our contacts at Schneider Electric, and will keep you informed of
their progress. We are tracking these issues as ICS-VU-291195."
08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
09/08/2016 - ICS-CERT replied requesting more information on one
vulnerability report, but said of the others, "they have successfully
validated the rest of the vulnerability reports. Unfortunately, they don't
expect to have a patch ready until the end of this year." ICS-CERT suggested
they would work with the vendor to try to bring this in.
09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer.
10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer and stressed potential 0-day.
12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.
Disclosure Timeline
2016-04-04 - Vulnerability reported to vendor
2017-06-12 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
rgod
- -----------------------------------------------------------------------------
(0Day) Schneider Electric U.motion Builder file_picker Directory Traversal
Arbitrary File Upload Remote Code Execution Vulnerability
ZDI-17-388: June 12th, 2017
CVSS Score
6.5, (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Affected Vendors
Schneider Electric
Affected Products
U.motion Builder
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Schneider Electric U.Motion Builder. User
authentication is required to exploit this vulnerability.
The specific flaw exists within file_picker.php. The upload path specified by
the user is not constrained, so any logged-in user can upload files to any
location in the system that is writable by the web service. An attacker can
leverage this to execute code on the system in the context of the web server.
Vendor Response
Schneider Electric states:
This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.
03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an
expected 'due date' of 07/27/16).
03/29/2016 - ICS-CERT acknowledged that they received them and "sent them
on to our contacts at Schneider Electric, and will keep you informed of
their progress. We are tracking these issues as ICS-VU-291195."
08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
09/08/2016 - ICS-CERT replied requesting more information on one
vulnerability report, but said of the others, "they have successfully
validated the rest of the vulnerability reports. Unfortunately, they don't
expect to have a patch ready until the end of this year." ICS-CERT suggested
they would work with the vendor to try to bring this in.
09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer.
10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer and stressed potential 0-day.
12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.
Disclosure Timeline
2016-04-04 - Vulnerability reported to vendor
2017-06-12 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
rgod
- -----------------------------------------------------------------------------
(0Day) Schneider Electric U.motion Builder runscript Directory Traversal
Information Disclosure Vulnerability
ZDI-17-389: June 12th, 2017
CVSS Score
5, (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Vendors
Schneider Electric
Affected Products
U.motion Builder
TippingPoint(TM) IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by
Digital Vaccine protection filter ID 24384. For further product information
on the TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to exfiltrate arbitrary
files on vulnerable installations of Schneider Electric U.motion
Builder. Authentication is not required to exploit this vulnerability.
The specific flaw exists within runscript.php applet. There is a directory
traversal vulnerability in the processing of the 's' parameter of the
applet. An attacker can leverage this vulnerability to disclose files from
the system.
Vendor Response
Schneider Electric states:
This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.
03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an
expected 'due date' of 07/27/16).
03/29/2016 - ICS-CERT acknowledged that they received them and "sent them
on to our contacts at Schneider Electric, and will keep you informed of
their progress. We are tracking these issues as ICS-VU-291195."
08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
09/08/2016 - ICS-CERT replied requesting more information on one
vulnerability report, but said of the others, "they have successfully
validated the rest of the vulnerability reports. Unfortunately, they don't
expect to have a patch ready until the end of this year." ICS-CERT suggested
they would work with the vendor to try to bring this in.
09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer.
10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer and stressed potential 0-day.
12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.
Disclosure Timeline
2016-04-04 - Vulnerability reported to vendor
2017-06-12 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
rgod
- -----------------------------------------------------------------------------
(0Day) Schneider Electric U.motion Builder css.inc Directory Traversal
Information Disclosure Vulnerability
ZDI-17-390: June 12th, 2017
CVSS Score
5, (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Vendors
Schneider Electric
Affected Products
U.motion Builder
TippingPoint(TM) IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by
Digital Vaccine protection filter ID 24383. For further product information
on the TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to disclose files on vulnerable
installations of Schneider Electric U.motion Builder. Authentication is
not required to exploit this vulnerability.
The specific flaw exists within css.inc.php. The 'css' parameter contains
a directory traversal vulnerability. An attacker can leverage this to
disclose files.
Vendor Response
Schneider Electric states:
This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.
03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an
expected 'due date' of 07/27/16).
03/29/2016 - ICS-CERT acknowledged that they received them and "sent them
on to our contacts at Schneider Electric, and will keep you informed of
their progress. We are tracking these issues as ICS-VU-291195."
08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
09/08/2016 - ICS-CERT replied requesting more information on one
vulnerability report, but said of the others, "they have successfully
validated the rest of the vulnerability reports. Unfortunately, they don't
expect to have a patch ready until the end of this year." ICS-CERT suggested
they would work with the vendor to try to bring this in.
09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer.
10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer and stressed potential 0-day.
12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.
Disclosure Timeline
2016-04-04 - Vulnerability reported to vendor
2017-06-12 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
rgod
- -----------------------------------------------------------------------------
(0Day) Schneider Electric U.motion Builder Embedded Session ID Authentication
Bypass Vulnerability
ZDI-17-391: June 12th, 2017
CVSS Score
7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Vendors
Schneider Electric
Affected Products
U.motion Builder
TippingPoint(TM) IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by
Digital Vaccine protection filter ID 24382. For further product information
on the TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to bypass authentication
on vulnerable installations of Schneider Electric U.motion
Builder. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of session management. The
application has a hard-coded static session ID. By embedding that session
ID in the HTTP cookie, an attacker can bypass authentication and execute
functionality on the application.
Vendor Response
Schneider Electric states:
This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.
03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an
expected 'due date' of 07/27/16).
03/29/2016 - ICS-CERT acknowledged that they received them and "sent them
on to our contacts at Schneider Electric, and will keep you informed of
their progress. We are tracking these issues as ICS-VU-291195."
08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
09/08/2016 - ICS-CERT replied requesting more information on one
vulnerability report, but said of the others, "they have successfully
validated the rest of the vulnerability reports. Unfortunately, they don't
expect to have a patch ready until the end of this year." ICS-CERT suggested
they would work with the vendor to try to bring this in.
09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer.
10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer and stressed potential 0-day.
12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.
Disclosure Timeline
2016-04-04 - Vulnerability reported to vendor
2017-06-12 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
rgod
- -----------------------------------------------------------------------------
(0Day) Schneider Electric U.motion Builder Local Privilege Escalation
Vulnerability
ZDI-17-392: June 12th, 2017
CVSS Score
6.8, (AV:L/AC:L/Au:S/C:C/I:C/A:C)
Affected Vendors
Schneider Electric
Affected Products
U.motion Builder
Vulnerability Details
This vulnerability allows attackers to execute arbitrary code on vulnerable
installations of Schneider Electric U.motion Builder. Authentication is
required to exploit this vulnerability.
The specific flaw exists within the handling of the system configuration. The
web administration account is set up with the ability to sudo without a
password. An attacker can leverage this vulnerability to execute arbitrary
code under the context of root.
Vendor Response
Schneider Electric states:
This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.
03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an
expected 'due date' of 07/27/16).
03/29/2016 - ICS-CERT acknowledged that they received them and "sent them
on to our contacts at Schneider Electric, and will keep you informed of
their progress. We are tracking these issues as ICS-VU-291195."
08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
09/08/2016 - ICS-CERT replied requesting more information on one
vulnerability report, but said of the others, "they have successfully
validated the rest of the vulnerability reports. Unfortunately, they don't
expect to have a patch ready until the end of this year." ICS-CERT suggested
they would work with the vendor to try to bring this in.
09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer.
10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor
was anywhere closer and stressed potential 0-day.
12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.
- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.
Disclosure Timeline
2016-04-04 - Vulnerability reported to vendor
2017-06-12 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
rgod
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWT82M4x+lLeg9Ub1AQjkRRAAgoeJ4+wxYBNWYvD0xfkTmGgv4UlRJWbF
1DiWeMfpD3BSqcUJNLnJUVtmilb4l33F1BxI7ZpgLrddHDCe8yMyPnXldvKS4WkM
ivAhsjZj2NsV+Bk0+jGNPGruyoUSCOtJJlo3MeCqyOtAcuEQ2BeAyRtU3FXb+lfB
igE6RW3KhHNcadfSuU/t3HMkufN1YvPmDBk1mJCpRwAlbfA9mvn9PMZhKN06HDew
cCJBo5/m/NHOnudOPqv4gNudmxhQ9g3tPJUcESRdbE8WnYCNWSL5U97xvEJdb0xF
saeuK0zDfDDPBGQQFMPNNHyLfkY39q7lOyqKuHwOLjXLGS1apxJ5t95V98EP+hfO
/eiL44MZNUhozowOHQfG2Lv0CTIJ70wiX8B/rsz4C9mdGAEgHV6d18I9Oyi12kC6
xEOipb9UETcLtRpnjDVpEU9m2cy9805DM8DNS0VT+TPbFNwHt15eH2BRn4FP+UXj
uS7470rMwoi3XROrdJ6wJCS/aI4qfH/2guTqyyApPtpSPwZfA33eC6V34QH/UtdH
uZgyCmk9o64ZYQPQEAlXB4Z3wV7K4sfR3bgmrmcYal4ujzjJHYQ4C7HmjG316idQ
kVKLAYL5w/k1cz08D3neHf7j0smY8EpGCHqNs+LMdCGcKkZ6nQ4TsiqQpnyuOEY1
HueNYvkF9hU=
=u8VR
-----END PGP SIGNATURE-----