Schneider Mitigates ClearSCADA Holes

Wednesday, October 8, 2014 @ 01:10 PM gHale


Schneider Electric prepared new service packs to mitigate the weak hashing algorithm and cross-site scripting vulnerability in its StruxureWare SCADA Expert ClearSCADA, according to a report on ICS-CERT.

In addition, while analyzing that issue, discovered by Independent researcher Aditya Sood, Schneider found an additional vulnerability in its StruxureWare SCADA Expert ClearSCADA product line.

Schneider Electric created patches that mitigate these remotely exploitable vulnerabilities.

RELATED STORIES
Rockwell Repairs DNP3 DoS Vulnerability
SchneiderWEB Server Directory Traversal Fixed
Patches Ready for Bash Hole
Advantech Fixes Overflow Holes

The following Schneider Electric StruxureWare SCADA Expert ClearSCADA versions suffer from the isssues:
• ClearSCADA 2010 R3 (build 72.4560),
• ClearSCADA 2010 R3.1 (build 72.4644),
• SCADA Expert ClearSCADA 2013 R1 (build 73.4729),
• SCADA Expert ClearSCADA 2013 R1.1 (build 73.4832),
• SCADA Expert ClearSCADA 2013 R1.1a (build 73.4903),
• SCADA Expert ClearSCADA 2013 R1.2 (build 73.4955),
• SCADA Expert ClearSCADA 2013 R2 (build 74.5094),
• SCADA Expert ClearSCADA 2013 R2.1 (build 74.5192), and
• SCADA Expert ClearSCADA 2013 R1 (build 75.5210).

The cross-site scripting vulnerability could trick a user with system administration privileges logged in via the WebX client to unknowingly execute a remote shutdown of the ClearSCADA Server.

The authentication bypass vulnerability could expose potentially sensitive system information to users without requiring logon credentials.

The self-signed web certificate provided with ClearSCADA uses MD5, a depreciated and weak signing algorithm and could end up deciphered allowing an attacker to gain access to the system.

Schneider’s corporate headquarters is in Paris, France, and maintains offices in 190 countries worldwide.

The affected products, SCADA Expert ClearSCADA, are web-based SCADA systems. According to Schneider Electric, SCADA Expert ClearSCADA sees action across several sectors including commercial facilities, energy, and water and wastewater systems. Schneider estimates these products see use primarily in the United States and Europe with a small percentage in Asia.

SCADA Expert ClearSCADA versions released prior to September may be vulnerable to specific web cross-site scripting attacks. The attacker would have to trick the user with system administration privileges logged in via the WebX client interface to exploit this vulnerability. The attacker could then execute a remote shutdown of the ClearSCADA Server. An attacker would have to employ social engineering to exploit this vulnerability.

CVE-2014-5411 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.9.

The guest user account within ClearSCADA installations has read access to the ClearSCADA database for the purpose of demonstration for new users. This default security configuration is not sufficiently secure for systems placed into a production environment and can potentially expose sensitive system information to users without requiring login credentials.

CVE-2014-5412 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.4.

The default self-signed web certificate provided with ClearSCADA uses MD5, a depreciated and weak signing algorithm. An attacker could decrypt and decipher keys hashed with this algorithm.

CVE-2014-5413 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

The authentication bypass and weak hashing algorithm vulnerabilities could end up exploited remotely.

The cross-site scripting vulnerability is not exploitable remotely and needs user interaction to exploit it. The exploit only triggers when a local user with administrative access runs the WebX Client.

No known public exploits specifically target these vulnerabilities. An attacker with a low to moderate skill would be able to exploit the authentication bypass and weak hashing algorithm vulnerabilities. Crafting a working exploit for the cross-site scripting vulnerability would be difficult. An attacker would have to use social engineering to trick the user to exploit the cross-site scripting vulnerability. This decreases the likelihood of a successful exploit.

Schneider Electric has prepared new service packs to mitigate the vulnerabilities.

Weak Hashing Algorithm
Asset owners should always obtain a signed web certificate from a certified authority before deploying ClearSCADA Web Server in a production environment.

To assist asset owners who are currently using self-signed certificates, a standalone utility will be available that can generate and deploy a new self-signed certificate (signed using an SHA signing algorithm). This utility is for existing ClearSCADA systems subject to this vulnerability, removing the need to upgrade the ClearSCADA software and perform a manual generation of a new certificate. This utility will be made available within the Software Downloads section on this ClearSCADA Resource Center page.

XSS & Authentication Bypass
Schneider advises all ClearSCADA users to take steps to secure the interfaces to the ClearSCADA system. The ClearSCADA database security configuration should be reviewed and updated to limit all system access to authorized users only. The access permissions of existing users should be reduced to only those required by their role (e.g., removing any higher level System Administration privileges from Operations or Engineering users), and specific accounts should end up created with appropriate permissions for performing System Administration tasks.

Existing ClearSCADA customers using WebX can protect their system from cross-site scripting attacks by disabling the “Allow database shutdown via WebX” option within the ClearSCADA Server Configuration utility.

Existing ClearSCADA customers should take measures to ensure their system does not grant any system access until users have supplied a valid username and password.

Schneider has corrected the default user security permissions; however, upgrading an existing vulnerable installation to a new version will not affect existing configured database security permissions.

Schneider Electric has corrected these vulnerabilities in the following service packs:
• ClearSCADA 2010 R3.2, released October
• SCADA Expert ClearSCADA 2014 R1.1, released October

If asset owners wish to upgrade to a new ClearSCADA Service Pack, contact the local Schneider office for the latest software version for ClearSCADA. These new versions are available for direct download from the Schneider Electric web site. To update their license (not required when upgrading to a service pack of the same version), asset owners must complete and submit an online form.

New Service packs for ClearSCADA are available for download.

General instructions on how to upgrade the ClearSCADA license (if required) are here.



Leave a Reply

You must be logged in to post a comment.