Schneider Radio Encryption Bug

Friday, August 23, 2013 @ 03:08 PM gHale

Schneider Electric self-reported a hard-coded encryption key vulnerability in its J-Series Radios and they created a patch that mitigates the vulnerability, according to a report on ICS-CERT.

In certain cases the affected Trio J-Series radio firmware versions do not correctly generate an advanced encryption standard (AES) encryption key when AES encryption is enabled in the device configuration.

Top Server OPC Vulnerability
Siemens Patches COMOS Hole
Sixnet Creates Universal Protocol Version
Kepware Mitigates Vulnerability

An attacker could potentially leverage this situation to gain control of a device or to access a connected device or industrial control system (ICS) network.

If a Trio J-Series Radio with V3.6.0, V3.6.1, V3.6.2, or V3.6.3 has AES encryption enabled with a user-defined pass phrase, the AES encryption key does not generate correctly, unless it is part of an upgrade.

If the radio had AES encryption enabled at the time of the V3.5.0 or earlier firmware upgrade to the affected versions, and the AES encryption pass phrase was not changed, then the Trio J-Series will properly encrypt the radio traffic.

If the radio running firmware V3.5.0 or earlier ended up upgraded to these affected versions and the AES encryption changed from disable to enable or had the AES encryption key changed, then the encryption key will not generate correctly.

The following Schneider Electric Trio J-Series Radio versions running Firmware Versions V3.6.0, V3.6.1, V3.6.2, and V3.6.3 suffer from the issue:
• TBURJR900-00002DH0
• TBURJR900-01002DH0
• TBURJR900-05002DH0
• TBURJR900-06002DH0
• TBURJR900-00002EH0
• TBURJR900-01002EH0
• TBURJR900-05002EH0
• TBURJR900-06002EH0

Schneider Electric is a Europe-based company that maintains offices in 190 countries worldwide. Their PLC products see use in a wide variety of automation and control applications across all industrial, infrastructure, and building sectors.

These radios see use mostly in Australia and the U.S., with smaller deployments in Brazil, Europe, and the UK. Sectors most commonly using the affected devices include oil and gas, water and waste water, and mining.

The affected devices may, under some circumstances, not properly generate an encryption key. This could potentially result in an attacker gaining access to the radio communications link traffic and potentially the ICS network.

CVE-2013-2782 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

There are no known exploits targeting this remotely exploitable vulnerability. An attacker with a low skill would be able to exploit this vulnerability.

The best mitigation for this vulnerability is to install the vendor firmware update from Schneider Electric.

Leave a Reply

You must be logged in to post a comment.