Cyber security vendor Indegy disclosed a vulnerability in a Schneider Electric software application that can be used to remotely control industrial processes at the 2016 Industrial Control Systems Cyber Security Conference in Atlanta today.
According to Mille Gandelsman, CTO of Indegy, the flaw allows attacks to evade virtually all existing security measures, including network firewalls, AV, application whitelisting, etc.
It also affects SCADA implementations in multiple industries, so it has far reaching implications.
“Schneider Electric has been very responsive throughout our engagement with them on the responsible disclosure of this vulnerability,” Gandelsman told Homeland Security Today. “They have fixed the issue in their new product release.”
In response to Indegy’s disclosure, Schneider Electric published an important secuirty notification and developed a new release of its product which fixes this vulnerability.
Gandelsman said, “It’s important to note that no user interaction required to exploit the vulnerability since it’s a remote code execution. Therefore, if the attacked computer is routable from the attacker’s computer, the attacker can execute arbitrary code on it.”
“The ability for an attacker to execute arbitrary code in an ICS environment means they can reprogram industrial controllers and manipulate critical processes anyway they want. This can lead to any number of problems, including shutdowns and physical damages,” Gandelsman said.
According to Gandelsman and Avihay Kain, R&D at Indegy, “As part of our ongoing R&D efforts we occasionally discover vulnerabilities in industrial controllers (PLCs, RTUs, DCS etc.) and software tools. Recently, Indegy Labs team discovered a vulnerability in Unity Pro, Schneider Electric’s flagship software application for managing and programing industrial controllers.. Before we get into the specifics, it’s important to point out that unlike in IT networks, a vulnerability is not necessarily required to compromise controllers in an ICS network. That’s because:”
- Industrial controllers lack authentication
- Industrial communication protocols lack encryption
“Surprising as it might sound,” they announced today, “anyone who has access to the control network, also has unfettered access to all of its industrial controllers. This means that anyone who can ping a controller, can probably send a it stop command or reprogram the device to cause operational disruptions. Nonetheless, some vulnerabilities can pose exceptional risk to ICS networks.”
Indegy said, “The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges. The vulnerable software tool is present in every control network in the world that uses Schneider-Electric controllers. Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations. This makes this attack relevant across virtually any process controlled by these PLCs. Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern.”
Indegy stressed, however, that “Schneider Electric has developed a new release of its product which fixes this vulnerability.”
Indegy said, “The vulnerability found affects all versions of this software, including the latest one. It resides in one of its components named ‘Unity Pro PLC Simulator,’ that is used to test industrial controllers’ code prior to executing it on the controllers themselves. The control code projects are compiled as x86 instructions and loaded onto the PLC Simulator using a proprietary format named ‘apx.’”
Indegy said, “Since these x86 instructions are later executed ‘as is’ by the simulator, an attacker can direct their control flow toexecute arbitrary malicious code. As bothersome as this might sound (being a somewhat ‘classical’ data/code mixture), the knock-out is that receiving .apx files from a remote location to execute them on the simulator is natively supported by the Unity Pro softwareplatform!”
“To implement the attack,” Indegy explained, “no patching of the simulator process at any stage is needed, only the .apx file is being patched. To build such an .apx file, the attacker needs to create a large project file with enough random binary PLC code, and then replace it with the combination of bridgehead shellcode and malicious payload. To preserve the integrity of the file, the attacker then needs to overcome several checksum calculations. Finally, the specially crafted project file is downloaded to the simulator remotely over a TCP port, which is open by default. There are few available implementations allowing one to download an .apx file to a simulator or a controller without wrapping it with the file format used by Unity Pro (though this path could be taken as well, which will result in a weaker attack). The latter is done by imitating Unity Pro’s communication protocol with the controllers.”
Indegy recommended, “The vulnerability in the simulator component of Unity Pro enables attackers to natively access industrial controllers and use a manipulated .apx file to execute malicious code. Since the delivery of the .apx file is an engineering control-plane activity, executed over a proprietary protocol, it is difficult to identify and detect. The use of proprietary protocols for control-plane activities is a common yet misunderstood practice in ICS networks. Unlike IT networks where data-plane and control-plane activities are executed over the same communication protocols, in ICS networks different protocols are used for these activities.”
Continuing, Indegy said, “Widely known protocols like MODBUS, PROFINET and DNP3, are all data-plane protocols. However, this is not where dangerous manipulations to ICS/SCADA networks and industrial controllers take place. The control-plane activities, which include all engineering and management activities performed on controllers (PLCs, RTUs) are executed over proprietary, vendor specific protocols which are unnamed, undocumented and unmonitored. To identify such attacks and ensure the integrity of critical control devices, the proprietary control-plane protocols of ICS networks must be monitored.”