Two security vulnerabilities in Schneider Electric’s programmable logic controllers (PLCs) could allow attackers to compromise a PLC and move on to more sophisticated critical infrastructure attacks.
PLCs are key pieces of equipment in environments such as electric utilities and factories. They control the physical machinery footprint in factory assembly lines and other industrial environments, and are a key part of operational technology (OT) networks.
According to researchers at Trustwave, the issues are present in company’s EcoStruxure Machine Expert v1.0 PLC management software, and in the firmware for the M221 PLC, version 220.127.116.11, respectively.
CVEs and severity ratings are pending, and patches are available.
Breaking Password Encryption
The first vulnerability, a small-space seed vulnerability, allows the discovery of encryption keys used by EcoStruxure Machine-Expert Basic for application protection. There are two types of application protection available: Read protection protects the controller’s application from being read by any unauthorized personnel at the engineering workstation; and the write protection protects the controller’s application from unauthorized changes.
“We are able to run an exhaustive key search to identify the encryption key that is used to encrypt the hashed password used to protect the application on the PLC,” Trustwave researchers explained, in a posting on Thursday. “The malicious actor can use this encryption key to decrypt the encrypted hash password that is sent to the controller to unlock read/write protection.”
The brute-force effort was made possible thanks to two flaws, researchers noted: First, the random nonce and secret key used in the encryption process are exchanged in cleartext.
“Hence, we are able to intercept and obtain the secret key from the network packets,” they said.
And secondly, the seed that is used to generate the keys is only two bytes long. This means that there are only 65,535 possible combinations of seed.
“Once we have obtained the seed, we can use this seed and the nonce that we have extracted from the network packet to generate the encryption key,” researchers said. “This encryption key can be used to decrypt the encrypted hashed password that we have extracted from the network packet using XOR algorithm.”
More Sophisticated Attacks
The second bug is a security bypass problem for the application-protection mechanism that can open the door to much bigger attacks. Researchers discovered an alternate channel to bypass the read protection feature on the controller.
“This read protection feature is meant to protect the application that is deployed on the controller from being downloaded by unauthorized personnel,” according to the firm. “[The bypass] can be used by a malicious actor to bypass the protection and download the application from the M221 controller.”
The alternate channel is the ability to send requests for application data as a third-party directly to the controller.
“These payloads can be consumed by the controller successfully without any authentication, thereby bypassing any read protection in place,” according to Trustwave. “In our analysis, we also realized that the application data in transit will be sent in clear instead of being encrypted.”
This in turn would allow an attacker to perform reconnaissance on the M221’s core application, paving the way for more sophisticated, follow-on attacks, Trustwave researchers said. That’s because the application contains the control logic that is deployed on the controller. This logic uses what’s known as “tags” in industrial control systems (ICS), to communicate across an operational technology (OT) network.
“It’s not a trivial task to understand the function of these tags on the network,” according to Trustwave. “In order for an attacker to conduct a targeted attack, he will need to figure out the context of the tags that are used in the control logic. One way to make this process easier is to download the control logic from the controller and read the tags that are set to gain a complete understanding of the process that is deployed on the controller.”
Schneider Electric recommends patching the engineering software, updating the firmware of the controller and blocking ports on the firewall. Trustwave added that customers should also use two different complex passwords for different application protections, and take steps to ensure only the engineering workstation and authorized clients can communicate to the PLC directly.
ICS in the Spotlight
ICS is snagging an increased spotlight from security researchers and the federal government. For instance, critical infrastructure has become a main focus for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) this year, it announced.
And indeed, more and more bugs have been uncovered in ICS gear as that focus ramps up. Hacking competitions like Pwn2Own for instance have started to focus on ICS.
The efforts are bearing fruit: In March, critical bugs affecting PLCs and physical access-control systems from Rockwell Automation and Johnson Controls were found.
And in July, on the heels of a dire warning from CISA about impending critical infrastructure attacks, ICS-CERT issued an advisory on a critical security bug in the Schneider Electric Triconex TriStation and Tricon Communication Module. These safety instrumented system (SIS) controllers are responsible for shutting down plant operations in the event of a problem and act as an automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire.
They’ve been targeted in the past, in the TRITON attack of 2017.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.