Schneider Mitigates PLCs Holes

Wednesday, June 5, 2013 @ 06:06 PM gHale

Schneider Electric has mitigation details for multiple vulnerabilities that affect its Modicon, Premium, and Quantum PLC modules, according to a report on ICS-CERT.

Independent researcher Arthur Gervais identified two remotely exploitable vulnerabilities in the common Ethernet modules used across a range of Schneider Electric’s PLC products. These vulnerabilities ended up released at the 2013 Digital Bond SCADA Security Scientific Symposium (S4) conference this past January.

Schneider Patches Quantum Holes
Siemens SCALANCE Vulnerabilities
3S Fixes Gateway Bug
Mitsubishi ActiveX Vulnerability

Schneider Electric validated the improper authentication vulnerability and cross-site request forgery vulnerability. Schneider Electric released mitigations for these vulnerabilities but does not plan to issue patches because of their complex nature. Schneider Electric said fixing these vulnerabilities would require significant changes to existing protocols and make any customer solutions currently using these features incompatible.

Schneider Electric investigated additional issues reported by the researcher and they disagree over whether the Magelis XBT HMI issue is a valid vulnerability. The Magelis XBT HMI panels have a security mode that requires a password to enable remote configuration uploads. After this mode ends up enabled, it provides a factory default password. The user does not get a prompt to supply a new password, although this capability is available. Once the user supplies a new password, the factory default password is no longer valid. This does not fit the definition of a hard-coded password, because the user can change it. Users should be aware of the potential for configuration errors that can lead to significant security issues.

Schneider Electric also could not duplicate the reported Resource Exhaustion issue affecting the M340 PLC family given the information supplied by the researcher. Software versions or specific configuration differences could account for the inability of the vendor to duplicate the results. In Schneider Electric’s testing on this issue, the communications module does in fact stop communicating when the connection limit ends up exceeded, but the PLC continues its control functions and its operation is unaffected. After the connection limit ends up exceeded, the communications module performs a soft reset. An attacker could not remotely exploit this observed behavior to deny PLC control functions.

All that being said, the following Schneider Electric products suffer from the issues:
• Modicon M340 PLC modules
• Quantum PLC modules
• Premium PLC modules

A malicious attacker may remotely halt, reset, or change settings for PLC modules by exploiting these vulnerabilities. This could affect products deployed in the critical manufacturing, energy, water, agriculture and food, dams, transportation, postal, nuclear, government facilities, and defense industrial sectors worldwide.

Schneider Electric is a Europe-based company that maintains offices in 190 countries worldwide. Their PLC products see use in a wide variety of automation and control applications across all industrial, infrastructure, and building sectors.

The affected PLC products, Modicon M340, Quantum, and Premium lines are PLC devices used in the United States, China, Russia, and India, and throughout the rest of the world. Primary application areas for these PLCs are in control and monitoring applications across the critical manufacturing, energy, water, agriculture and food, dams, transportation, postal, nuclear, government facilities, and defense industrial sectors.

Products supporting the Factory Cast feature, including the Modicon M340, Quantum, and Premium PLC ranges, allow users to send Modbus messages embedded in HTTP POST requests using SOAP messages. Modbus commands sent to the PLC via this mechanism do not get authentication. These messages can result in unintended consequences such as halting operation or modification of I/O data to and from the PLC.

CVE-2013-0664 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

The affected devices incorporate a Web server interface that receives requests from clients without a mechanism for verifying that it was intentionally sent. It is possible for an attacker to trick a client into making an unintentional request to the Web server, which will end up treated as an authentic request. Valid commands could be sent to the PLC via specially crafted HTTP requests.

CVE-2013-0663 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5.

No known public exploits specifically target these vulnerabilities, however an attacker with a low to medium skill would be able to exploit these vulnerabilities.

Schneider Electric issued a patch for the HTTP and FTP service that is available on selected Quantum PLCs. This patch contains a new feature that allows the user to disable HTTP service on certain modules. The patch is on the Schneider Electric website.

Schneider Electric has not issued a patch for the Modicon M340 or Premium PLC, but issued a vulnerability disclosure notification that contains the following recommended mitigations for both vulnerabilities:
• Do not connect the affected PLC modules to an untrusted network.
• If the user needs such a connection, block all HTTP access to the module from untrusted IP addresses using a firewall, and only allow HTTP connections from known IP addresses from secured workstations.

Leave a Reply

You must be logged in to post a comment.