UPDATE–There are several unpatched, remotely exploitable vulnerabilities in a number of Schneider Electric’s SCADA products, one of which could be used to perform a shutdown of the SCADA server. Another of the vulnerabilities is an authentication bypass that could give an attacker access to sensitive data.
The vulnerabilities affect a variety of Schneider Electric StruxureWare SCADA Expert ClearSCADA versions. The product is a software platform designed to be used for remote management of critical infrastructure systems. Aditya Sood, an independent security researcher, found a cross-site request forgery vulnerability in the software that could allow a remote attacker to disable a vulnerable server.
“SCADA Expert ClearSCADA versions released prior to September 2014 may be vulnerable to specific web cross-site [request forgery] attacks. The attacker would have to trick the user with system administration privileges logged in via the WebX client interface to exploit this vulnerability. The attacker could then execute a remote shutdown of the ClearSCADA Server. Social engineering is required to exploit this vulnerability,” the advisory from ICS-CERT says.
There also is an authentication bypass flaw that allows a remote attacker to access sensitive information without logging in.
“The guest user account within ClearSCADA installations is provided read access to the ClearSCADA database for the purpose of demonstration for new users. This default security configuration is not sufficiently secure to be adopted for systems placed into a production environment and can potentially expose sensitive system information to users without requiring login credentials,” the advisory says.
Schneider Electric is in the process of building patches for these vulnerabilities, which will be rolled out in a service pack later this month. Until then, the company is recommending some mitigations for customers.
“Schneider Electric advises all ClearSCADA users to take steps to secure the interfaces to the ClearSCADA system. The ClearSCADA database security configuration should be reviewed and updated to limit all system access to authorized users only. The access permissions of existing users should be reduced to only those required by their role (e.g., removing any higher level System Administration privileges from Operations or Engineering users), and specific accounts should be created with appropriate permissions for performing System Administration tasks,” the advisory says.
In addition to the CSRF and authentication bypass flaws, there also is an issue with the default certificate that comes with ClearSCADA. The certificate is self-signed and uses MD5 as the signing algorithm.
The vulnerabilities affect the following versions of Schneider’s products:
- ClearSCADA 2010 R3 (build 72.4560),
- ClearSCADA 2010 R3.1 (build 72.4644),
- SCADA Expert ClearSCADA 2013 R1 (build 73.4729),
- SCADA Expert ClearSCADA 2013 R1.1 (build 73.4832),
- SCADA Expert ClearSCADA 2013 R1.1a (build 73.4903),
- SCADA Expert ClearSCADA 2013 R1.2 (build 73.4955),
- SCADA Expert ClearSCADA 2013 R2 (build 74.5094),
- SCADA Expert ClearSCADA 2013 R2.1 (build 74.5192), and
- SCADA Expert ClearSCADA 2014 R1 (build 75.5210).
This story was updated on Sept. 17 to clarify that the vulnerability is a CSRF, not XSS, as was reported in the ICS-CERT advisory.