Risky Schneider Electric SCADA Vulnerabilities Remain Unpatched

Vulnerabilities in Schneider Electric SCADA gear remain unpatched close to two weeks after they were disclosed during DEF CON.

Update Vulnerabilities in Schneider Electric SCADA gear remain unpatched close to two weeks after they were disclosed during DEF CON.

The Industrial Control System Cyber Emergency Response Team (ICS-CERT) released an alert late last week and patches are currently being validated according to ICS-CERT and researcher Aditya K. Sood, who gave the DEF CON presentation. Sood said the alert came as a result of his talk in Las Vegas where he described the flaws in Schneider Electric’s Modicon M340 PLC Station P34 Module human machine interface (HMI) software. HMIs provide infrastructure operators with a visualization of the automation environment and allow admins to manage controls from a single screen or screens.

The vulnerabilities affect the modules that support the Factory Cast Modbus feature.

“[The alert] is based on my DEFCON talk but there are high chances that attackers could have been exploiting these vulnerabilities for some time now,” Sood said.

Sood disclosed vulnerabilities and provided Schneider with proof-of-concept code for two remotely exploitable vulnerabilities, and a related locally exploitable flaw. One of the flaws is a hard-coded credential found in the software that ICS-CERT told Sood had already been reported to them. Sood said it is unknown whether the hard-coded password has been removed since there was discussion of deploying a patch that would disable the affected FTP login.

The two other vulnerabilities are remote and local file inclusion issues that could be exploited via phishing attacks containing a link to a crafted URL, or by an attacker with physical access to the software.

“The risk is an attacker can target the SCADA users or admins by simply sending a crafted URL which upon clicking, executes a code from a third party domain through the browser,” Sood said. “Similarly, some local file can be downloaded through LFI but I will say RFI is much more critical in these scenarios.”

Sood said the remote file inclusion vulnerability is client-side rather than server side. The file, he said, must be dynamically included.

“What happens is, the URL passed is transferred back to [a JavaScript] function which dynamically obtains the value from URL and then renders it in the iframe on the client side and the file is loaded through iframe,” Sood explained. “The distinction is instead of PHP it goes back to JS based inclusion function.”

A similar remote file inclusion vulnerability was reported recently in Rockwell Automation 1766-L32BWAA/1766-L32BXBA web interfaces, another programmable logic controller used in a number of critical industries.

“RFI/LFI are easy to patch, but it depends again on the ICS vendors,” Sood said.

Earlier this year, Rockwell patched weak password protection in its RSView32 HMI in which an outdated encryption algorithm was used to secure passwords.

This article was updated with additional context on the RFI vulnerability.

Suggested articles

Discussion

  • Jake Brodsky on

    Unlike Office IT, SCADA devices are not the center of the world. Most IT security professionals are aghast that we don't have fleets of people ready to patch every little potential problem in the field. In fact, patching is VERY expensive, both in the time it takes for the people to do it and the very expensive equipment that must be decommissioned during the re-validation tests. Get used to the notion that Operational Technology is no more the center of operation than an autopilot is the center of operation in an airliner. Yes, it helps a lot. But there are manual controls and people do watch this stuff very closely for signs of trouble. As others have pointed out: just because you can hack and deny service to these devices does not mean instant demolition of the device. It will continue to function in some less than ideal manner, but it will probably still function. It takes extraordinary inside knowledge to successfully destroy stuff in a process. Very few have both the knowledge and the inside knowledge to inflict permanent damage. This is not the emergency you think it is.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.