According to Infosec, the two Schneider Electric SCADA products had similar vulnerabilities to the Iranian worm Stuxnet.
Vultures detected and then corrected by Trustwave can be used by an attacker to communicate with the SoMachine Basic v1.6 software and the M221 programmable logic controller (PLC) to damage or disrupt the attacker.
To take advantage of one of the disadvantages, you must be able to contact the PLC via Modbus TCP/IP, and for the other – access to a Windows computer with SoMachine. That means you probably have to compromise and infiltrate a factory, facility or lab where you want to get hurt before you can get to work.
The effect is that an attacker can start and stop a PLC remotely without having to authenticate with technical software, according to Trustwave’s Seok Min Lim in a consultation report this week, where our research shows that SoMachine Basic does not sufficiently control the critical values used in communication with the PLC. The vulnerability can be used to send manipulated packets to the PLC without the software being aware of the manipulation.
Normally the authentication is needed to send commands to the PLC via the engineering software; the connection is plaintext. However, Trustwave has discovered that it can easily intercept and replay commands sent by SoMachine, completely bypassing authentication.
Although the design of the Schneider PLC only has to accept one user session at a time of the engineering software, Trustwave was able to use ARP (Address Resolution Protocol) poisoning to save the session when the user actually logs out.
As part of the protocol specification, the PLC responded with a general OK message, which is indistinguishable from the life support request. As a result, SoMachine Basic was misled into believing that the Keep Alive message had been successfully delivered. The software doesn’t know that the PLC session is over, explained the Trustwave team.
South Water, who is not such a fisherman, withdraws from the net by e-mailto face the bait.
The second Vuln had to replace the DLL to change the hard-coded values in the teams sent to the automaton, following the example of the infamous American-Israeli worm Stuxnet, which was used in the 2000s to destroy Iranian nuclear fuel centrifuges.
According to Trustwave, Stuxnet accidentally downloaded a malicious DLL (Dynamic Linked Library) which is used by software to communicate with the PLC. It intercepted and modified all legitimate packets on the controllers and managed to download malicious logic code to modify the PLC’s behaviour.
Schneider Electric said during the meeting: The result of this vulnerability, the spoofing DLL, can enable the transfer of malicious code to the controller. The manufacturer has encouraged customers to update the software and check the safety measures around the PLC workstations.
In recent years, the German industrial hardware giant n Software has been at the forefront of cybersecurity research, leading in some cases to the discovery of sub-optimal methods.
Travetway himself has his share of the slips. In 2018, the insurance company sued them for $30 million for opening an investigation into a hack by payment processor Heartland in 2008. ®
Webcast : Customize your hybrid cloud correctly