Update Vulnerabilities in Schneider Electric SCADA gear remain unpatched close to two weeks after they were disclosed during DEF CON.
The Industrial Control System Cyber Emergency Response Team (ICS-CERT) released an alert late last week and patches are currently being validated according to ICS-CERT and researcher Aditya K. Sood, who gave the DEF CON presentation. Sood said the alert came as a result of his talk in Las Vegas where he described the flaws in Schneider Electric’s Modicon M340 PLC Station P34 Module human machine interface (HMI) software. HMIs provide infrastructure operators with a visualization of the automation environment and allow admins to manage controls from a single screen or screens.
The vulnerabilities affect the modules that support the Factory Cast Modbus feature.
“[The alert] is based on my DEFCON talk but there are high chances that attackers could have been exploiting these vulnerabilities for some time now,” Sood said.
Sood disclosed vulnerabilities and provided Schneider with proof-of-concept code for two remotely exploitable vulnerabilities, and a related locally exploitable flaw. One of the flaws is a hard-coded credential found in the software that ICS-CERT told Sood had already been reported to them. Sood said it is unknown whether the hard-coded password has been removed since there was discussion of deploying a patch that would disable the affected FTP login.
The two other vulnerabilities are remote and local file inclusion issues that could be exploited via phishing attacks containing a link to a crafted URL, or by an attacker with physical access to the software.
“The risk is an attacker can target the SCADA users or admins by simply sending a crafted URL which upon clicking, executes a code from a third party domain through the browser,” Sood said. “Similarly, some local file can be downloaded through LFI but I will say RFI is much more critical in these scenarios.”
Sood said the remote file inclusion vulnerability is client-side rather than server side. The file, he said, must be dynamically included.
“What happens is, the URL passed is transferred back to [a JavaScript] function which dynamically obtains the value from URL and then renders it in the iframe on the client side and the file is loaded through iframe,” Sood explained. “The distinction is instead of PHP it goes back to JS based inclusion function.”
A similar remote file inclusion vulnerability was reported recently in Rockwell Automation 1766-L32BWAA/1766-L32BXBA web interfaces, another programmable logic controller used in a number of critical industries.
“RFI/LFI are easy to patch, but it depends again on the ICS vendors,” Sood said.
Earlier this year, Rockwell patched weak password protection in its RSView32 HMI in which an outdated encryption algorithm was used to secure passwords.
This article was updated with additional context on the RFI vulnerability.