Multiple Vulnerabilities Haunt Long List of PLC Modules

A long list of industrial-control modules manufactured by Schneider Electric and used to control operations at various industrial facilities contain multiple weaknesses and vulnerabilities that could allow an attacker to modify the firmware, login remotely and run arbitrary code on the vulnerable components. Security researcher Ruben Santamarta discovered and disclosed the problems and the ICS-CERT is warning users about the issue, as well.

A long list of industrial-control modules manufactured by Schneider Electric and used to control operations at various industrial facilities contain multiple weaknesses and vulnerabilities that could allow an attacker to modify the firmware, login remotely and run arbitrary code on the vulnerable components. Security researcher Ruben Santamarta discovered and disclosed the problems and the ICS-CERT is warning users about the issue, as well.

The devices in question are Ethernet modules that are designed to communicate with programmable logic controllers over a network. They’re used in industrial control systems and Santamarta took a look at the firmware that’s used on the modules and found that not only were they accessible over the Internet, but also had a slew of hidden accounts, many with hard-coded passwords. His research shows that, with services such as Telnet, FTP and others exposed and available for attackers to probe, the systems running on these Schneider Electric Quantum Ethernet Modules are vulnerable to several kinds of attack.

Santamarta notified both the manufacturer of the modules and the ICS-CERT about the issues he found, and Schneider Electric already has produced fixes for two of the vulnerabilities he reported and is working on addressing the others.

Here is what Santamarta found in his research:

– In order to fully understand the PLC/Eth module, backplane and other protocols (i.e Unity’s UMAS) we can reverse engineer the firmware, the java classes and vendor’s software like Unity Loader.
– You can remotely compromise Modicon PLCs exposed via NOE Ethernet modules through ftp, telnet, modbus, WDB, snmp, web… by using the backdoor credentials exposed or even without using them.
– You can load your own trojanized firmware.
– There are non-documented hidden accounts that can be used to compromise a PLC.
– There are non-documented functionalities with security implications.
– There is no solution other than redesigning these devices, which obviously is not feasible in the short/middle term so mitigations are needed and expected.

The main problems that Santamarta discovered in his research are related to the security of the Telnet and Windriver Debug port. The weak security associated with these services could enable an attacker to watch how the firmware works, modify the module’s memory and run his own code on the module.

This is the latest in a series of recent problems and warnings affecting various industrial-control systems and modules. Last month an attacker was able to compromise the software that’s used to manage the water infrastructure for a district in Houston, Texas. He said the system he attacked used a three-character password.

In its alert about Santamarta’s research, the ICS-CERT, which is run by the Department of Homeland Security, said that there are some steps customers can take to protect themselves in the absence of patches.

“ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.b
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.”

Santamarta said in his research report that both Schneider Electric’s security team and ICS-CERT had been quite responsive to his disclosures and had worked with him on addressing the issues.

Suggested articles