11 April 2018

Multiple vulnerabilities closed in U.motion Builder building automation solution

Multiple vulnerabilities have been identified in U.motion Builder, a building automation software solution by Schneider Electric. The problem affects all versions of the product up to v. 1.3.4.

A total of 16 vulnerabilities with different severity levels (overall CVSS v.3 scores of 4.3 to 10) have been identified. SambaCry (CVE-2017-7494) is a flaw in the Samba server which allows arbitrary code to be executed remotely on a target system. Its overall CVSS score is 10.0. Another critical vulnerability, CVE-2018-7777, which can only be exploited by an authenticated user, could allow code to be remotely executed by sending specially crafted requests to the server under attack. The CVSS score calculated for that issue is 8.8. The same score was calculated for another vulnerability, CVE-2018-7765, which could allow an attacker to perform SQL injection.

Other vulnerabilities, which have medium or low severity levels, are path traversal, information disclosure and remote code execution through SQL injection vulnerabilities.

The vendor has released an update which closes these vulnerabilities. In addition, Schneider Electric recommends taking the following measures to improve security:

  • always placing the machine running the U.motion Builder Software behind a robust firewall with carefully crafted rules to limit and control access;
  • never connecting the machine directly to the internet or placing it in the demilitarized zone (DMZ);
  • never routing internet traffic directly to a computer running U.motion Builder;
  • conducting remote access to the U.motion system only over a trusted virtual private network (VPN);
  • limiting connection to U.motion Builder software only to trusted machines;
  • using application whitelisting to limit what can run on the machine running the U.Motion Builder software

Source: Schneider Electric