Schneider Electric Fixes 16 security flaws on U.motion Builder software

According to securityweek reports, Schneider Electric informed its customers last week that it has fixed 16 vulnerabilities in the latest version of U.motion Builder, including those rated as serious and high-risk, such as path traversal or other issues that may lead to information leakage. Errors, and remote code execution defects caused by SQL injection.

U.motion is a building automation solution used by commercial facilities, key manufacturing, and energy sectors around the world. U.motion Builder is a tool that allows users to create projects for their U.motion devices.

It is reported that most of U.motion Builder’s security vulnerabilities have been classified as moderately serious, but there are also some security vulnerabilities that are very serious based on the CVSS score.

See page for author [Public domain], via Wikimedia Commons

The CVSS score for the most severe vulnerability (CVE-2017-7494) reached 10, which, according to reports, allowed remote code execution, which had an impact on the Samba software suite. In addition, similar to the WannaCry attack, it was called “SambaCry” by some members of the industry. The vulnerability was found to be affecting the equipment of several major vendors, including Cisco, Netgear, QNAP, Synology, Veritas, Sophos, and F5 Networks.

Another critical vulnerability in U.motion Builder is identified as CVE-2018-7777, which allows an authenticated attacker to remotely execute arbitrary code by sending a specially crafted request to the target server.

In addition, a SQL injection flaw CVE-2018-7765 is also listed as highly serious.

These problems affect U.motion Builder versions prior to 1.3.4. In addition to providing patches, Schneider currently shares some suggestions for mitigating potential attacks.

Source: securityweek