Unpatched Flaws in Schneider Electric U.motion Builder Disclosed

The details of several vulnerabilities affecting Schneider Electric’s U.motion Builder software have been disclosed before the vendor released any patches.

Schneider Electric’s U.motion is a building automation solution used around the world mainly in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices.

Security researcher Andrea Micalizzi, also known as “rgod,” discovered that the U.motion Builder software, version 1.2.1 and prior, is affected by several vulnerabilities, including ones rated critical and high severity.

Advisories published by ICS-CERT and the vendor describe the flaws as SQL injection, path traversal, authentication bypass, hardcoded password, improper access control, information disclosure, and denial-of-service (DoS) issues.

An attacker can exploit the security holes to execute arbitrary code and commands, steal files, gain access to the system with high privileges, obtain information, and cause a DoS condition – in some cases even without authentication.

The security holes were reported by Micalizzi to Schneider via Zero Day Initiative (ZDI) and ICS-CERT in March 2016. Several months later, the vendor said it was expecting a patch to become available by the end of the year.

Since fixes still haven’t been released, ZDI has made public more than 20 advisories detailing each of the vulnerabilities found by the researcher in U.motion Builder. The advisories include details, such as affected file and parameter, that could allow malicious actors to exploit the flaws.

Schneider Electric has now promised to release an update by the end of August and instructed customers to apply the patch as soon as it becomes available. In the meantime, the company has advised users to place the affected software behind a firewall, ensure that the machine hosting the software is not connected to the Web, use application whitelisting and access control features, and ensure that remote access is only possible over a trusted VPN.

This is not the first time researchers have decided to disclose unpatched flaws affecting Schneider products after the vendor’s failure to release patches or provide any status updates.

In April, experts disclosed two weaknesses affecting Schneider PLCs. The vendor admitted making a mistake in that case, but it seems it was not an isolated incident.

ICS-CERT has also published a couple of advisories this week detailing critical flaws in Siemens’ Viewport for Web Office Portal, SIMATIC, SINUMERIK and SIMOTION products.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

Related: Schneider Electric Patches Flaws in ClearSCADA, Wonderware Products

Related: Schneider Patches Flaws in VAMPSET, SoMachine Products