Full Report
Multiple remote code execution vulnerabilities have been corrected in Schneider Electric’s U.motion Builder. Fixes for the vulnerabilities have been included in version 1.3.4 of the solution
Analysis Summary
# Vulnerability: Multiple Remote Code Execution Vulnerabilities in Schneider Electric U.motion Builder
## CVE Details
- **CVE ID:** CVE-2018-7784, CVE-2018-7785, CVE-2018-7786, CVE-2018-7787
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-78 (OS Command Injection), CWE-434 (Unrestricted Upload of File with Dangerous Type)
## Affected Systems
- **Products:** Schneider Electric U.motion Builder
- **Versions:** All versions prior to v1.3.4
- **Configurations:** Systems where the web management interface is accessible over the network.
## Vulnerability Description
U.motion Builder suffered from several flaws in its web-based management interface. The vulnerabilities include:
1. **Command Injection:** Improper validation of user-supplied input allows an unauthenticated attacker to inject and execute arbitrary OS commands via crafted HTTP requests.
2. **Unrestricted File Upload:** The application fails to properly restrict the types of files uploaded to the server. An attacker can upload malicious scripts (e.g., PHP shells) and execute them remotely, leading to full system compromise.
## Exploitation
- **Status:** PoC available (Publicly disclosed shortly after vendor notification).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Full access to system files and sensitive data).
- **Integrity:** Total (Ability to modify system configuration and application logic).
- **Availability:** Total (Ability to shut down services or render the device unusable).
## Remediation
### Patches
- **Update to U.motion Builder version 1.3.4 or later.** Schneider Electric has integrated fixes into this version to sanitize inputs and restrict file upload capabilities.
### Workarounds
- **Network Segmentation:** Ensure that U.motion Builder instances are not exposed to the public internet.
- **Access Control:** Restrict access to the management interface to trusted IP addresses only using firewalls or ACLs.
- **Disable Unnecessary Services:** If the Builder functionality is not actively required for production, disable the service.
## Detection
- **Indicators of Compromise:**
- Presence of unexpected `.php` or script files in web-accessible directories.
- Unusual outbound network traffic from the U.motion Builder host.
- Log entries showing administrative commands executed by the web server user (e.g., `www-data`).
- **Detection Methods:** Vulnerability scanners (Nessus/OpenVAS) can be configured to detect outdated versions of U.motion Builder by checking the version string in the web headers.
## References
- Schneider Electric Advisory: hxxps[://]www[.]se[.]com/ww/en/download/document/SEVD-2018-144-01/
- Kaspersky ICS-CERT: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/06/13/multiple-vulnerabilities-in-u-motion-builder/
- ICS-CERT (CISA): hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-18-144-01