Schneider Eyes Fix for SCADA Holes

Wednesday, September 17, 2014 @ 03:09 PM gHale


There is a weak hashing algorithm and cross-site scripting vulnerability in Schneider Electric’s StruxureWare SCADA Expert ClearSCADA, according to a report on ICS-CERT.

In addition, while analyzing that issue, discovered by Independent researcher Aditya Sood, Schneider found an additional vulnerability in its StruxureWare SCADA Expert ClearSCADA product line.

RELATED STORIES
Ecava Fixes SCADA Server Holes
Schneider Fixes VAMPSET Buffer Overflow
Sensys Fixes Traffic Sensor Holes
Schneider Fixes Wonderware Holes

Schneider Electric is in the process of creating a patch that mitigates these remotely exploitable vulnerabilities.

The following Schneider Electric StruxureWare SCADA Expert ClearSCADA versions suffer from the isssues:
• ClearSCADA 2010 R3 (build 72.4560),
• ClearSCADA 2010 R3.1 (build 72.4644),
• SCADA Expert ClearSCADA 2013 R1 (build 73.4729),
• SCADA Expert ClearSCADA 2013 R1.1 (build 73.4832),
• SCADA Expert ClearSCADA 2013 R1.1a (build 73.4903),
• SCADA Expert ClearSCADA 2013 R1.2 (build 73.4955),
• SCADA Expert ClearSCADA 2013 R2 (build 74.5094),
• SCADA Expert ClearSCADA 2013 R2.1 (build 74.5192), and
• SCADA Expert ClearSCADA 2013 R1 (build 75.5210).

The cross-site scripting vulnerability could trick a user with system administration privileges logged in via the WebX client to unknowingly execute a remote shutdown of the ClearSCADA Server.

The authentication bypass vulnerability could expose potentially sensitive system information to users without requiring logon credentials.

The self-signed web certificate provided with ClearSCADA uses MD5, a depreciated and weak signing algorithm and could end up deciphered allowing an attacker to gain access to the system.

Schneider’s corporate headquarters is in Paris, France, and maintains offices in 190 countries worldwide.

The affected products, SCADA Expert ClearSCADA, are web-based SCADA systems. According to Schneider Electric, SCADA Expert ClearSCADA sees action across several sectors including commercial facilities, energy, and water and wastewater systems. Schneider estimates these products see use primarily in the United States and Europe with a small percentage in Asia.

SCADA Expert ClearSCADA versions released prior to September 2014 may be vulnerable to specific web cross-site scripting attacks. The attacker would have to trick the user with system administration privileges logged in via the WebX client interface to exploit this vulnerability. The attacker could then execute a remote shutdown of the ClearSCADA Server. An attacker would have to employ social engineering to exploit this vulnerability.

CVE-2014-5411 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.9.

The guest user account within ClearSCADA installations has read access to the ClearSCADA database for the purpose of demonstration for new users. This default security configuration is not sufficiently secure for systems placed into a production environment and can potentially expose sensitive system information to users without requiring login credentials.

CVE-2014-5412 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.4.

The default self-signed web certificate provided with ClearSCADA uses MD5, a depreciated and weak signing algorithm. An attacker could decrypt and decipher keys hashed with this algorithm.

CVE-2014-5413 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

The authentication bypass and weak hashing algorithm vulnerabilities could end up exploited remotely.

The cross-site scripting vulnerability is not exploitable remotely and needs user interaction to exploit it. The exploit only triggers when a local user with administrative access runs the WebX Client.

No known public exploits specifically target these vulnerabilities. An attacker with a low to moderate skill would be able to exploit the authentication bypass and weak hashing algorithm vulnerabilities. Crafting a working exploit for the cross-site scripting vulnerability would be difficult. An attacker would have to use social engineering to trick the user to exploit the cross-site scripting vulnerability. This decreases the likelihood of a successful exploit.

Schneider Electric is preparing a new service pack to mitigate the vulnerabilities.

In the interim, Schneider made a list of recommendations.

Weak Hashing Algorithm:
Customers should always obtain a signed web certificate from a certified authority before deploying ClearSCADA Web Server in a production environment.

To assist customers who are currently using self-signed certificates, a standalone utility will be available that can generate and deploy a new self-signed certificate (signed using an SHA signing algorithm). Schneider recommends this utility for existing ClearSCADA systems subject to this vulnerability, removing the need to upgrade the ClearSCADA software and perform a manual generation of a new certificate. This utility is available within the Software Downloads section of the following ClearSCADA Resource Center page.

In addition, Schneider Electric is planning to correct the vulnerability immediately in the following Service Packs:
• ClearSCADA 2010 R3.2, Planned Release Sept. 2014
• SCADA Expert ClearSCADA 2014 R1.1, Planned Release Sept. 2014

Schneider is working on Service Packs for other supported versions.

XSS & Authentication Bypass:
Schneider advises all ClearSCADA users to take steps to secure the interfaces to the ClearSCADA system. The ClearSCADA database security configuration should end up reviewed and updated to limit all system access to authorized users only. The access permissions of existing users should end up reduced to only those required by their role (e.g., removing any higher level system administration privileges from operations or engineering users), and specific accounts should end up created with appropriate permissions for performing system administration tasks.
• Existing ClearSCADA customers using WebX can protect their system from cross-site scripting attacks by disabling the “Allow database shutdown via WebX” option within the ClearSCADA Server Configuration utility.
• Existing ClearSCADA customers should take measures to ensure their system does not grant any system access until users have supplied a valid username and password.

Schneider corrected the default user security permissions and will make these available in all subsequent releases of SCADA Expert ClearSCADA. Upgrading an existing vulnerable installation to a new version will not affect existing configured database security permissions.



Leave a Reply

You must be logged in to post a comment.