Vulnerabilities reminiscent of Stuxnet found in two Schneider Electric products could allow an attacker to gain operation control of a device by intercepting then retransmitting commands.
Trustwave’s Global OT/IoT security research team uncovered the flaws in Schneider’s SoMachine Basic v1.6 and Schneider Electric M221, firmware version 220.127.116.11, Programmable Logic Controller (PLC). By exploiting the flaws, a malicious actor could take control of the devices in the same manner operators circa 2005 used the Stuxnet worm to control and ultimately cause Iran’s nuclear centrifuges to destroy themselves.
Trustwave analysts were able to use the Schneider Electric vulnerability to intercept, change, then resend commands between the engineering software and the PLC.
“The impact is that a malicious actor can start and stop the PLC remotely without authenticating with the engineering software,” Trustwave reported. “The malicious actor can also change the ladder logic in the PLC without authentication.”
The second issue is spun off the fact that SoMachine Basic does not perform adequate checks on critical values used in the communications with PLC. If exploited an attacker could potentially be used to send manipulated packets to the PLC, without the software being aware of the manipulation.
“The team has found that it is possible to bypass software authentication by replaying previously captured packets in the network,” Trustwave said. “This method of replay works for various control plane commands, including stopping the PLC and downloading ladder logic to the PLC.”
That’s eerily similar to Stuxnet’s modus operandi, which, according to a 2010 Symantec report, infected one of the Iranian engineering workstations that was being used to manage and control the Siemens Step 7 PLC. Stuxnet infected all the Step 7 projects and side-loaded a malicious dynamic linked library (DLL), which is used by the software to communicate with the PLC. It intercepted and modified all the legitimate packets to the controllers and successfully uploaded malicious logic codes to change the controller behaviors. The malicious library file prevented PLC operators from realizing that the PLCs were compromised.
Schneider has patched the SoMachine Basic v1.6 vulnerability and is working on a final mitigation for the second attack. In the meantime the company recommended users block the port on the firewall or disable the protocol. In addition, Trustwave urged organizations to harden the network through micro segmentation and zoning, ensuring that ICS assets and network are monitored for abnormal communications.