Schneider, Researcher Disagree on Holes

Thursday, March 21, 2013 @ 07:03 PM gHale

Schneider Electric released mitigations for vulnerabilities discovered during the Digital Bond SCADA Security Scientific Symposium, but they beg to differ on other issues a researcher disclosed.

Schneider released mitigations for the remotely exploitable vulnerabilities found by independent researcher Arthur Gervais who identified two vulnerabilities in the common Ethernet modules used across a broad range of Schneider’s PLC products, according to a report on ICS-CERT. The company does not plan to issue patches saying fixing these vulnerabilities would require significant changes to existing protocols and make any customer solutions currently using these features incompatible.

SIMATIC Update Solves Bugs
Siemens Mitigates WinCC TIA Bugs
Schneider Mitigates Vulnerabilities
Indusoft Produces Hotfix for Bug

Additional issues reported by Gervais have also been investigated and the vendor and researcher disagree on whether Magelis XBT HMI issue is a valid vulnerability.

The Magelis XBT HMI panels have a security mode where a password must enable remote configuration uploads. After this mode initially enables, a factory default password is available. The user does not get a prompt or requirement to supply a new password, although this capability is available. Once the user supplies a new password, the factory default password is no longer valid. This does not fit the definition of a hard-coded password, because a user can change it. Users should be aware of the potential for configuration errors that can lead to significant security issues.

In addition, Schneider could not duplicate the reported Resource Exhaustion issue affecting the M340 PLC family given the information supplied by the researcher. Software versions or specific configuration differences could account for the inability of the vendor to duplicate the results. In Schneider Electric’s testing on this issue, the communications module does in fact stop communicating when the connection limit ends up exceeded, but the PLC continues its control functions and its operation remains unaffected. After the connection limit ends up exceeded, the communications module performs a soft reset. An attacker could not remotely exploit this observed behavior to deny PLC control functions. Because Schneider could not duplicate the researcher-reported behavior, the vendor could not go any further without more specific detailed information.

Other than that, Schneider does have mitigation details for an improper authentication vulnerability and cross-site request forgery vulnerability in its Modicon, Premium, and Quantum PLC modules.

Gervais identified multiple vulnerabilities in the common Ethernet modules used across a broad range of Schneider Electric’s PLC products.

The following Schneider Electric products suffer from the issue:
• Modicon M340 PLC modules
• Quantum PLC modules
• Premium PLC modules

A malicious attacker may remotely halt, reset, or change settings for PLC modules by exploiting these vulnerabilities. This could affect products deployed in the critical manufacturing, energy, water, agriculture and food, dams, transportation, postal, nuclear, government facilities, and defense industrial sectors worldwide.

The affected PLC products, Modicon M340, Quantum, and Premium lines are PLC devices used in the United States, China, Russia, and India, and throughout the rest of the world.

Products supporting the Factory Cast feature, including the Modicon M340, Quantum, and Premium PLC ranges, allow users to send Modbus messages embedded in HTTP POST requests using SOAP messages.

Modbus commands sent to the PLC via this mechanism do not undergo authentication. These messages can result in unintended consequences such as halting operation or modification of I/O data to and from the PLC. CVE-2013-0664 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

The affected devices incorporate a Webserver interface that receives requests from clients without a mechanism verifying it was intentionally sent. It is possible for an attacker to trick a client into making an unintentional request to the Webserver, which would end up treated as an authentic request.

Valid commands could go to the PLC via specially crafted HTTP requests. CVE-2013-0663 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5.

Schneider Electric has not issued a patch or software update to mitigate these vulnerabilities, but has issued a vulnerability disclosure notification that contains the following recommended mitigations for both vulnerabilities:
• Do not connect the affected PLC modules to an untrusted network.
• If a users need to make such a connection, block all HTTP access to the module from untrusted IP addresses using a firewall, and only allow HTTP connections from known IP addresses from secured workstations.

Leave a Reply

You must be logged in to post a comment.