If you miss the happier times of the 2000s, just look up today's SCADA gear which still has Stuxnet-style holes

Schneider Electric patches vulns after Trustwave raises alarm


Two Schneider Electric SCADA products had vulnerabilities similar to the ones exploited in the Iran-bothering Stuxnet worm, an infosec outfit has claimed.

The vulns, uncovered by Trustwave and since patched, could be abused by a malicious person to interact with the SoMachine Basic v1.6 engineering software and the M221 programmable logic controller (PLC) to cause mischief or disrupt operations.

To exploit one of the flaws, you need to be able to reach the PLC via Modbus TCP/IP, and for the other, you need access to the Windows computer running SoMachine. That means you'll in all likelihood need to have compromised and infiltrated the plant, factory, or lab you wish to harm before you can get to work.

Our research shows that SoMachine Basic does not perform adequate checks on critical values

“The impact is that a malicious actor can start and stop the PLC remotely without authenticating with the engineering software,” said Trustwave’s Seok Min Lim in an advisory this week, adding: “Our research shows that SoMachine Basic does not perform adequate checks on critical values used in the communications with PLC. The vulnerability can potentially be used to send manipulated packets to the PLC, without the software being aware of the manipulation.”

Normally, sending commands to a PLC through the engineering software requires authentication; logging in, in plain English. Trustwave, however, found that it could simply capture and replay commands sent by SoMachine, completely bypassing authentication in the process.

Although Schneider’s PLC design was only supposed to accept a single user session from the engineering software at a time, Trustwave was able to use Address Resolution Protocol (ARP) poisoning to keep the session alive while logging out the real user.

“As part of the protocol specification, the PLC responded with a generic 'OK' message that was indistinguishable from the response to the 'Keep Alive' request. As a result, SoMachine Basic was tricked into thinking that 'Keep Alive' message is executed successfully. The software is unaware that the session with the PLC had ended,” explained the Trustwave team.

phishing_648

Southern Water not such a phisherman's phriend, hauls itself offline to tackle email lure

READ MORE

A second vuln involved substituting DLLs to modify hard-coded values in commands sent to the PLC – similarly to how the infamous US-Israeli-made Stuxnet worm was used to knacker Iran’s nuclear fuel centrifuges back in the 2000s.

Stuxnet, said Trustwave, “side-loaded a malicious dynamic linked library (DLL), which is used by the software to communicate with the PLC. It intercepted and modified all the legitimate packets to the controllers and successfully uploaded malicious logic codes to change the [PLC] behaviors.”

Schneider Electric said in an advisory: “The result of this vulnerability, DLL substitution, could allow the transference of malicious code to the controller.” The manufaturer urged customers to update their software and review security measures around PLC workstations.

The French industrial hardware ‘n’ software giant has been the focus of cybersecurity research in recent years, some of which revealed less than optimal practices.

Trustwave itself has had its fair share of bloopers. In 2018 an insurance company filed a $30m lawsuit against it for allegedly bungling an investigation into the hacking of payments processor Heartland, all the way back in 2008. ®


Tech Resources

The State of Application Security 2020

Forrester analyzed the state of application security in 2020 and found over 75% of external attacks are attributed to web application and software exploits.

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Anatomy of a Private Cloud

Learn the key elements that combined, build a true Private Cloud

Biting the hand that feeds IT © 1998–2021