Two Schneider Electric SCADA products had vulnerabilities similar to the ones exploited in the Iran-bothering Stuxnet worm, an infosec outfit has claimed.
The vulns, uncovered by Trustwave and since patched, could be abused by a malicious person to interact with the SoMachine Basic v1.6 engineering software and the M221 programmable logic controller (PLC) to cause mischief or disrupt operations.
To exploit one of the flaws, you need to be able to reach the PLC via Modbus TCP/IP, and for the other, you need access to the Windows computer running SoMachine. That means you'll in all likelihood need to have compromised and infiltrated the plant, factory, or lab you wish to harm before you can get to work.
Our research shows that SoMachine Basic does not perform adequate checks on critical values
“The impact is that a malicious actor can start and stop the PLC remotely without authenticating with the engineering software,” said Trustwave’s Seok Min Lim in an advisory this week, adding: “Our research shows that SoMachine Basic does not perform adequate checks on critical values used in the communications with PLC. The vulnerability can potentially be used to send manipulated packets to the PLC, without the software being aware of the manipulation.”
Normally, sending commands to a PLC through the engineering software requires authentication; logging in, in plain English. Trustwave, however, found that it could simply capture and replay commands sent by SoMachine, completely bypassing authentication in the process.
Although Schneider’s PLC design was only supposed to accept a single user session from the engineering software at a time, Trustwave was able to use Address Resolution Protocol (ARP) poisoning to keep the session alive while logging out the real user.
“As part of the protocol specification, the PLC responded with a generic 'OK' message that was indistinguishable from the response to the 'Keep Alive' request. As a result, SoMachine Basic was tricked into thinking that 'Keep Alive' message is executed successfully. The software is unaware that the session with the PLC had ended,” explained the Trustwave team.
Southern Water not such a phisherman's phriend, hauls itself offline to tackle email lureREAD MORE
A second vuln involved substituting DLLs to modify hard-coded values in commands sent to the PLC – similarly to how the infamous US-Israeli-made Stuxnet worm was used to knacker Iran’s nuclear fuel centrifuges back in the 2000s.
Stuxnet, said Trustwave, “side-loaded a malicious dynamic linked library (DLL), which is used by the software to communicate with the PLC. It intercepted and modified all the legitimate packets to the controllers and successfully uploaded malicious logic codes to change the [PLC] behaviors.”
Schneider Electric said in an advisory: “The result of this vulnerability, DLL substitution, could allow the transference of malicious code to the controller.” The manufaturer urged customers to update their software and review security measures around PLC workstations.
Trustwave itself has had its fair share of bloopers. In 2018 an insurance company filed a $30m lawsuit against it for allegedly bungling an investigation into the hacking of payments processor Heartland, all the way back in 2008. ®