sb-au logo
Story image

Claroty finds four vulnerabilities in Schneider Electric OT device

19 Nov 2020

Claroty and Schneider Electric have announced mitigations for four vulnerabilities in Schneider Electric’s Modicon M221 programmable logic controller (PLC), as well as the EcoStruxure Machine Expert Basic.

The M221 is a device that provides basic automation capabilities for machines, and it is often found in industrial sectors such as energy and manufacturing.

The unmitigated vulnerabilities could give an attacker access to the device, enabling the attacker to break encryption, modify code, and run certain commands.

Claroty researchers Yehuda Anikster and Rei Henigman explain that the attacker would need to have already gained access to an operational technology (OT) network to exploit these vulnerabilities, and would also need to capture traffic between the PLC and EcoStruxure Machine Expert Basic.

Claroty acknowledges that Schneider Electric does what it can to keep the Modicon M221 secure with password hashes, server-side authentication and stronger encryption.
However, Schneider Electric’s efforts have not been flawless - Anikster and Henigman describe these as ‘shortcomings’.

The four most recent vulnerabilities include:

  • CVE-2020-7565 (Related CWE-326: Inadequate Encryption Strength)
  • CVE-2020-7566 (Related CWE-334: Small Space of Random Values)
  • CVE-2020-7567 (Related CWE-311: Missing Encryption of Sensitive Data)
  • CVE-2020-7568 (Related CWE-200: Exposure of Sensitive Information to an Unauthorised Actor)

Researchers explain that an attacker could capture traffic between the PLC and EcoStruxure Machine Expert Basic - traffic that could include upload and download data, as well as successful authentications. The data is encrypted using a four-byte XOR key, which is considered to be a weak method of encryption.
An XOR key can be exploited through known-plaintext attacks and statistical analysis.

“ta such as read-write password hashes is transferred using the weak encryption mechanism, and therefore can be extracted and passed in Pass-the-Hash attacks to authenticate an attacker to the PLC. This works because only the hash is used in authentication exchanges. From there, an attacker can execute privileged commands, such as uploading malicious updates or code to a PLC or downloading information from the device,” the researchers explain.

Furthermore, there are also cryptographic implementation vulnerabilities located within the key exchange mechanism, which is designed in a way that makes decryption possible if an attacker used a brute force or rainbow table attack.

“An attacker who is able to capture enough traffic should be able to deduce the client-side or server-side secret in either exchange and would be able to break encrypted read-write commands and the encrypted password hashes. This puts the entire key-exchange mechanism at risk,” researchers say.

Schneider Electric also suggests that any organisation using the M221 device should: implement a firewall that blocks unauthorised access to TCP port 502; set up network segmentation; and disable unused protocols, such as the Programming protocol in the Modicon M221 application.

Link image
Where is your data? You'll find out in 2021
Next year, we will start to realise exactly how much intellectual property was stolen by attackers during the 2020 remote working shift, writes Forcepoint global CTO Nicolas Fischbach.More
Story image
Voice phishing attacks on the rise, remote workers vulnerable
There is an increase in voice phishing attacks, where hackers use existing employee names in attempt to trick victims into sharing login credentials and data by phone.More
Story image
Businesses can save on the hefty cost of a security breach if they're honest
SMBs and enterprises that disclose breaches proactively tend to experience 40% less financial damage, according to new research from Kaspersky. More
Story image
Adoption of cloud-native apps high but security remains an issue - report
While most organisations today are using cloud-native apps, Kubernetes and microservices, they struggle to secure and connect the complex environments resulting from them. More
Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More