Schneider Modbus Driver Buffer Overflow

Monday, March 31, 2014 @ 11:03 PM gHale


Schneider Electric created a patch that fixes the stack-based buffer overflow vulnerability in its Serial Modbus Driver that affects 11 Schneider Electric products, according to a report on ICS-CERT.

Carsten Eiram of Risk-Based Security discovered the remotely exploitable vulnerability.

RELATED STORIES
Siemens Fixes SIMATIC PLC Holes
SIMATIC S7-1200 CPU Vulnerabilities Fixed
Sielco Sistemi Fixes Winlog Holes
Siemens Patches SIMATIC S7-1500 Holes

The following Schneider Electric products bundle the Schneider Electric Modbus Serial Driver (ModbusDrv.exe), which starts when attempting to connect to a Programmable Logic Controller (PLC) via the serial port of a personal computer:
• TwidoSuite Versions 2.31.04 and earlier
• PowerSuite Versions 2.6 and earlier
• SoMove Versions 1.7 and earlier
• SoMachine Versions 2.0, 3.0, 3.1, and 3.0 XS
• Unity Pro Versions 7.0 and earlier
• UnityLoader Versions 2.3 and earlier
• Concept Versions 2.6 SR7 and earlier
• ModbusCommDTM sl Versions 2.1.2 and earlier
• PL7 Versions 4.5 SP5 and earlier
• SFT2841 Versions 14, 13.1 and earlier
• OPC Factory Server (OFS) Versions 3.40 and earlier

Modbus Serial Driver versions affected:
• Windows XP 32 bit V1.10 IE v37
• Windows Vista 32 bit V2.2 IE12
• Windows 7 32 bit V2.2 IE12
• Windows 7 64 bit V3.2 IE12

A successful exploit of this vulnerability could cause a buffer overflow that could allow arbitrary code execution with user privileges.

Schneider Electric corporate headquarters is in Paris, France, and maintains offices in more than 100 countries worldwide.

The affected products are mostly software-based utilities and engineering tools designed for programming and configuring process, machine, and general control applications. These applications rely on a common driver to communicate with PLCs. According to Schneider Electric, the affected software works across several sectors including chemical, critical manufacturing, dams, energy, food and agriculture, government facilities, nuclear reactors, materials, and waste, and transportation systems. Schneider Electric estimates these products see use primarily in China, United States, and Europe.

The Modbus Serial Driver creates a listener on Port 27700/TCP. When a connection occurs, the Modbus Application Header is first into a buffer. If a large buffer size ends up specified in this header, a stack-based buffer overflow results.

A second overflow problem can end up exploited by overwriting the return address, allowing the attacker to execute arbitrary code with the permission of the user running the software.

CVE-2013-0662 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

No known public exploits specifically target this vulnerability and an attacker with a high skill would be able to exploit this vulnerability.

Schneider Electric has released a security notification with further information on this vulnerability and how to mitigate it.

Schneider Electric recommends for users of these products that use this driver update it with the latest version of software.

New versions of OFS V3.5 and Unity Pro V8 include the updated ModbusDriverSuite. For the other products listed above, the updated ModbusDriverSuite will be implemented with each new version of those software products. Asset owners concerned about the Modbus Serial Driver used for those applications, please contact Schneider Electric Technical Support.

Until this software ends up updated in the vulnerable devices, Schneider Electric recommends a defense-in-depth strategy, which includes locating the PLCs and devices running the vulnerable software behind firewalls configured to limit access to authorized personnel and protocols.



Leave a Reply

You must be logged in to post a comment.