Details of VAR-201807-1863

ID

VAR-201807-1863

CVE

CVE-2018-7765

TITLE

Schneider Electric U.motion Builder track_import_export Remote code execution vulnerability

Trust: 0.8

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // CNVD: CNVD-2017-09467

DESCRIPTION

The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter. Authentication is not required to exploit this vulnerability. The specific flaw exists within processing of track_import_export.php, which is exposed on the web service with no authentication. A remote attacker can leverage this vulnerability to execute arbitrary commands against the database

Trust: 3.06

sources: NVD: CVE-2018-7765 // JVNDB: JVNDB-2018-006832 // ZDI: ZDI-17-378 // CNVD: CNVD-2017-09467 // IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // VULMON: CVE-2018-7765

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // CNVD: CNVD-2017-09467

AFFECTED PRODUCTS

vendor:	schneider electric	model:	u.motion builder	scope:	lt	version:	1.3.4	Trust: 1.0
vendor:	schneider electric	model:	u.motion builder software	scope:	lt	version:	1.3.4	Trust: 0.8
vendor:	schneider electric	model:	u.motion builder	scope:	-	version:	-	Trust: 0.7
vendor:	schneider	model:	electric u.motion builder	scope:	-	version:	-	Trust: 0.6
vendor:	schneider electric	model:	u.motion builder	scope:	eq	version:	1.2.1	Trust: 0.6
vendor:	u motion builder	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // ZDI: ZDI-17-378 // CNVD: CNVD-2017-09467 // JVNDB: JVNDB-2018-006832 // CNNVD: CNNVD-201807-160 // NVD: CVE-2018-7765

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-7765
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-7765
value:	HIGH
Trust: 0.8
ZDI:	ZDI-17-378
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2017-09467
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201807-160
value:	HIGH
Trust: 0.6
IVD:	2d961346-1bc1-490c-bd66-36977c43a317
value:	HIGH
Trust: 0.2
VULMON:	CVE-2018-7765
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-7765
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
ZDI:	ZDI-17-378
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7
CNVD:	CNVD-2017-09467
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	2d961346-1bc1-490c-bd66-36977c43a317
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2018-7765
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // ZDI: ZDI-17-378 // CNVD: CNVD-2017-09467 // VULMON: CVE-2018-7765 // JVNDB: JVNDB-2018-006832 // CNNVD: CNNVD-201807-160 // NVD: CVE-2018-7765

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2018-006832 // NVD: CVE-2018-7765

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-160

TYPE

SQL injection

Trust: 0.8

sources: IVD: 2d961346-1bc1-490c-bd66-36977c43a317 // CNNVD: CNNVD-201807-160

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-006832

PATCH

title:	SEVD-2018-095-01	url:	https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-095-01+Security+Notification+Umotion+V1.1.pdf&p_Doc_Ref=SEVD-2018-095-01	Trust: 0.8
title:	This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.03/29/2016 - ZDI disclosed the vulnerability reports to ICS-CERT (with an expected 'due date' of 07/27/16).03/29/2016 - ICS-CERT acknowledged that they received them and "sent them on to our contacts at Schneider Electric, and will keep you informed of their progress. We are tracking these issues as ICS-VU-291195."08/24/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.09/08/2016 - ICS-CERT replied requesting more information on one vulnerability report, but said of the others, "they have successfully validated the rest of the vulnerability reports. Unfortunately, they don't expect to have a patch ready until the end of this year." ICS-CERT suggested they would work with the vendor to try to bring this in.09/19/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer.10/11/2016 - ZDI sent a follow-up inquiry to ICS-CERT asking if the vendor was anywhere closer and stressed potential 0-day.12/14/2016 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.06/02/2017 - ZDI sent a follow-up inquiry to ICS-CERT requesting the status.-- Mitigation:Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in and numerous other Microsoft Knowledge Base articles.	url:	http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx	Trust: 0.7
title:	Schneider Electric U.motion Builder software SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81729	Trust: 0.6

sources: ZDI: ZDI-17-378 // JVNDB: JVNDB-2018-006832 // CNNVD: CNNVD-201807-160

EXTERNAL IDS

db:	NVD	id:	CVE-2018-7765	Trust: 3.3
db:	SCHNEIDER	id:	SEVD-2018-095-01	Trust: 1.7
db:	ZDI	id:	ZDI-17-378	Trust: 1.3
db:	ICS CERT	id:	ICSA-17-180-02	Trust: 0.9
db:	CNVD	id:	CNVD-2017-09467	Trust: 0.8
db:	CNNVD	id:	CNNVD-201807-160	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-006832	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-3629	Trust: 0.7
db:	IVD	id:	2D961346-1BC1-490C-BD66-36977C43A317	Trust: 0.2
db:	VULMON	id:	CVE-2018-7765	Trust: 0.1

REFERENCES

url:	http://seclists.org/fulldisclosure/2019/may/26	Trust: 1.8
url:	https://www.schneider-electric.com/en/download/document/sevd-2018-095-01/	Trust: 1.7
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-180-02	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7765	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-7765	Trust: 0.8
url:	http://technet.microsoft.com/en-us/library/cc725770%28ws.10%29.aspx	Trust: 0.7
url:	http://www.zerodayinitiative.com/advisories/zdi-17-378/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/89.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: ZDI: ZDI-17-378 // CNVD: CNVD-2017-09467 // VULMON: CVE-2018-7765 // JVNDB: JVNDB-2018-006832 // CNNVD: CNNVD-201807-160 // NVD: CVE-2018-7765

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-17-378

SOURCES

db:	IVD	id:	2d961346-1bc1-490c-bd66-36977c43a317
db:	ZDI	id:	ZDI-17-378
db:	CNVD	id:	CNVD-2017-09467
db:	VULMON	id:	CVE-2018-7765
db:	JVNDB	id:	JVNDB-2018-006832
db:	CNNVD	id:	CNNVD-201807-160
db:	NVD	id:	CVE-2018-7765

LAST UPDATE DATE

2024-08-14T12:35:58.959000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-17-378	date:	2017-06-12T00:00:00
db:	CNVD	id:	CNVD-2017-09467	date:	2017-06-14T00:00:00
db:	VULMON	id:	CVE-2018-7765	date:	2019-05-14T00:00:00
db:	JVNDB	id:	JVNDB-2018-006832	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201807-160	date:	2019-05-15T00:00:00
db:	NVD	id:	CVE-2018-7765	date:	2019-05-14T20:29:02.217

SOURCES RELEASE DATE

db:	IVD	id:	2d961346-1bc1-490c-bd66-36977c43a317	date:	2017-06-14T00:00:00
db:	ZDI	id:	ZDI-17-378	date:	2017-06-12T00:00:00
db:	CNVD	id:	CNVD-2017-09467	date:	2017-06-14T00:00:00
db:	VULMON	id:	CVE-2018-7765	date:	2018-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-006832	date:	2018-09-03T00:00:00
db:	CNNVD	id:	CNNVD-201807-160	date:	2018-07-04T00:00:00
db:	NVD	id:	CVE-2018-7765	date:	2018-07-03T14:29:00.617