ID

VAR-201807-1863


CVE

CVE-2018-7765


TITLE

Schneider Electric U.motion Builder track_import_export Remote code execution vulnerability

Trust: 0.8

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // CNVD: CNVD-2017-09467

DESCRIPTION

The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter. Authentication is not required to exploit this vulnerability. The specific flaw exists within processing of track_import_export.php, which is exposed on the web service with no authentication. A remote attacker can leverage this vulnerability to execute arbitrary commands against the database

Trust: 3.06

sources: NVD: CVE-2018-7765 // JVNDB: JVNDB-2018-006832 // ZDI: ZDI-17-378 // CNVD: CNVD-2017-09467 // IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // VULMON: CVE-2018-7765

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // CNVD: CNVD-2017-09467

AFFECTED PRODUCTS

vendor:schneider electricmodel:u.motion builderscope:ltversion:1.3.4

Trust: 1.0

vendor:schneider electricmodel:u.motion builder softwarescope:ltversion:1.3.4

Trust: 0.8

vendor:schneider electricmodel:u.motion builderscope: - version: -

Trust: 0.7

vendor:schneidermodel:electric u.motion builderscope: - version: -

Trust: 0.6

vendor:schneider electricmodel:u.motion builderscope:eqversion:1.2.1

Trust: 0.6

vendor:u motion buildermodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // ZDI: ZDI-17-378 // CNVD: CNVD-2017-09467 // JVNDB: JVNDB-2018-006832 // CNNVD: CNNVD-201807-160 // NVD: CVE-2018-7765

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-7765
value: HIGH

Trust: 1.0

NVD: CVE-2018-7765
value: HIGH

Trust: 0.8

ZDI: ZDI-17-378
value: HIGH

Trust: 0.7

CNVD: CNVD-2017-09467
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201807-160
value: HIGH

Trust: 0.6

IVD: 2d961346-1bc1-490c-bd66-36977c43a317
value: HIGH

Trust: 0.2

VULMON: CVE-2018-7765
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-7765
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

ZDI: ZDI-17-378
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

CNVD: CNVD-2017-09467
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 2d961346-1bc1-490c-bd66-36977c43a317
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-7765
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // ZDI: ZDI-17-378 // CNVD: CNVD-2017-09467 // VULMON: CVE-2018-7765 // JVNDB: JVNDB-2018-006832 // CNNVD: CNNVD-201807-160 // NVD: CVE-2018-7765

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2018-006832 // NVD: CVE-2018-7765

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-160

TYPE

SQL injection

Trust: 0.8

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // CNNVD: CNNVD-201807-160

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-006832

PATCH

title:SEVD-2018-095-01url:https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-095-01+Security+Notification+Umotion+V1.1.pdf&p_Doc_Ref=SEVD-2018-095-01

Trust: 0.8

title:This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16).03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195."08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in.09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer.10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day.12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.-- Mitigation:Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in and numerous other Microsoft Knowledge Base articles.url:http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx

Trust: 0.7

title:Schneider Electric U.motion Builder software SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81729

Trust: 0.6

sources: ZDI: ZDI-17-378 // JVNDB: JVNDB-2018-006832 // CNNVD: CNNVD-201807-160

EXTERNAL IDS

db:NVDid:CVE-2018-7765

Trust: 3.3

db:SCHNEIDERid:SEVD-2018-095-01

Trust: 1.7

db:ZDIid:ZDI-17-378

Trust: 1.3

db:ICS CERTid:ICSA-17-180-02

Trust: 0.9

db:CNVDid:CNVD-2017-09467

Trust: 0.8

db:CNNVDid:CNNVD-201807-160

Trust: 0.8

db:JVNDBid:JVNDB-2018-006832

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-3629

Trust: 0.7

db:IVDid:2D961346-1BC1-490C-BD66-36977C43A317

Trust: 0.2

db:VULMONid:CVE-2018-7765

Trust: 0.1

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // ZDI: ZDI-17-378 // CNVD: CNVD-2017-09467 // VULMON: CVE-2018-7765 // JVNDB: JVNDB-2018-006832 // CNNVD: CNNVD-201807-160 // NVD: CVE-2018-7765

REFERENCES

url:http://seclists.org/fulldisclosure/2019/may/26

Trust: 1.8

url:https://www.schneider-electric.com/en/download/document/sevd-2018-095-01/

Trust: 1.7

url:https://ics-cert.us-cert.gov/advisories/icsa-17-180-02

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7765

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-7765

Trust: 0.8

url:http://technet.microsoft.com/en-us/library/cc725770%28ws.10%29.aspx

Trust: 0.7

url:http://www.zerodayinitiative.com/advisories/zdi-17-378/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/89.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: ZDI: ZDI-17-378 // CNVD: CNVD-2017-09467 // VULMON: CVE-2018-7765 // JVNDB: JVNDB-2018-006832 // CNNVD: CNNVD-201807-160 // NVD: CVE-2018-7765

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-17-378

SOURCES

db:IVDid:2d961346-1bc1-490c-bd66-36977c43a317
db:ZDIid:ZDI-17-378
db:CNVDid:CNVD-2017-09467
db:VULMONid:CVE-2018-7765
db:JVNDBid:JVNDB-2018-006832
db:CNNVDid:CNNVD-201807-160
db:NVDid:CVE-2018-7765

LAST UPDATE DATE

2024-11-23T21:31:57.203000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-17-378date:2017-06-12T00:00:00
db:CNVDid:CNVD-2017-09467date:2017-06-14T00:00:00
db:VULMONid:CVE-2018-7765date:2019-05-14T00:00:00
db:JVNDBid:JVNDB-2018-006832date:2019-01-09T00:00:00
db:CNNVDid:CNNVD-201807-160date:2019-05-15T00:00:00
db:NVDid:CVE-2018-7765date:2024-11-21T04:12:41.740

SOURCES RELEASE DATE

db:IVDid:2d961346-1bc1-490c-bd66-36977c43a317date:2017-06-14T00:00:00
db:ZDIid:ZDI-17-378date:2017-06-12T00:00:00
db:CNVDid:CNVD-2017-09467date:2017-06-14T00:00:00
db:VULMONid:CVE-2018-7765date:2018-07-03T00:00:00
db:JVNDBid:JVNDB-2018-006832date:2018-09-03T00:00:00
db:CNNVDid:CNNVD-201807-160date:2018-07-04T00:00:00
db:NVDid:CVE-2018-7765date:2018-07-03T14:29:00.617