Researchers discovered a critical remote code execution vulnerability in two Schneider Electric industrial control related products that could give attackers the ability to disrupt or shut down plant operations.
Tenable Research, who discovered the vulnerability (CVE-2018-8840) and created a proof-of-concept attack scenario, said that the bug was in Schneider Electric products – InduSoft Web Studio and InTouch Machine Edition. Schneider Electric has since issued patches for the vulnerability.
InduSoft Web Studio is a suite of tools to develop industrial control systems such as human-machine interfaces or Supervisory Control and Data Acquisition systems. InTouch Machine Edition is a software toolset to develop applications connecting automation systems, and to develop interfaces for web browsers and tablets.
“This software is commonly deployed across several heavy industries, including manufacturing, oil and gas and automotive,” according to Tenable’s report released Wednesday. “With the growing adoption of distributed and remote monitoring in industrial environments, OT and IT are converging. As OT becomes increasingly connected and boundary-less, these safety-critical systems are increasingly vulnerable to cyberattacks.”
Schneider Electric said in a security bulletin it has released InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 to address this vulnerability. Impacted users are strongly advised to apply patches as soon as possible.
“An unauthenticated remote attacker can leverage this attack to execute arbitrary code on vulnerable systems, potentially leading to full compromise of the InduSoft Web Studio or InTouch Machine Edition server machine,” according to Tenable’s report. “A threat actor can use the compromised machine to laterally transfer within the victims’ network and to execute further attacks. Additionally, connected HMI clients can be exposed to attack.”
The vulnerability stems from a stack-based buffer overflow in the two products. Tenable said that a threat actor could send a crafted packet to exploit the buffer overflow vulnerability using a tag, alarm, event, read or write action to execute code. Packet crafting is a method usually allowing network administrators to check firewall rule-sets and find entry points into a targeted system.
“In order to validate the vulnerability, we developed a proof of concept that uses a simple Linux terminal and standard Linux command line utilities,” Tenable told Threatpost.
The vulnerability is similar to CVE-2017-14024, another stack-based buffer overflow issue discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions, and InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions, said Tenable.
“While researching CVE-2017-14024 for a Nessus plugin, Tenable found a new stack buffer overflow in InduSoft Web Studio and InTouch Machine Edition. The vulnerability is similar to CVE-2017-14024 in that it involves calling mbstowcs() in TCPServer.dll. However, this new vulnerability leverages command 50 instead of command 49,” researchers wrote.
The vulnerability can be remotely exploited without authentication and targets the IWS Runtime Data Server service by default on TCP port 1234.
Tenable told Threatpost that an attacker would likely develop a custom script that connects to the vulnerable application on port 1234 and would send a malicious string of characters over a network connection to exploit the vulnerability.
So far, there is no evidence to suggest that the vulnerabilities have been exploited in the wild, a Tenable Research spokesperson told Threatpost. The vulnerability is rated 9.8 out of 10 using the Common Vulnerability Scoring System (CVSS).
IT-OT Security Worries
The vulnerability is just one example of the road bumps that industrial manufacturers face as their industrial control systems, such as programmable logic controllers and HVAC systems, become connected to the network.
“The OT industry has historically been somewhat insulated from the attention of most security researchers…With IT and OT converging and now sharing more standardized protocols and libraries, this is quickly changing,” a Tenable Research spokesperson told Threatpost. “Understanding the new risks associated with this digital transformation will take some time. So far, the necessary paradigm change has been slow in coming, but we are seeing some vendors begin to take this more seriously.”
Focus around industrial control system security has tightened in particular since FireEye researchers in December found a malware called Triton targeting Schneider Electric’s Triconex Safety Instrumented System controllers.
But Schneider Electric and other industrial manufacturers have faced cybersecurity issues long before that. In 2016, a critical vulnerability was found in Schneider Electric’s industrial controller management software, Unity Pro, while in 2017 a critical vulnerability was found in Schneider Electric’s WonderWare Historian.
“The cost and difficulty of gaining access to OT devices for research purposes and the fact that they often use proprietary protocols, has given OT the benefit of security through obscurity. In addition, as OT devices have traditionally not been connected to the internet, OT developers have not had to take malicious attacks from remote users into consideration,” the Tenable spokesperson said.
The disclosure timeline for this most recent (CVE-2018-8840) vulnerability includes discovery of the bug by Tenable on Jan. 18. Tenable reported the vulnerability to Schneider on Jan. 28 and on March 15 the company issued a patch to affected customers. Public disclosure of the patch is today.