Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Security Researcher Details New SCADA Bugs

Supervisory control and data acquisition systems' programmable logic controllers could be remotely accessed and loaded with trojanized firmware.

The Department of Homeland Security (DHS) issued a security alert Monday for an Ethernet add-on for the Schneider Electric Quantum programmable logic controller (PLC). Such controllers can be used to help manage industrial processes inside everything from physical manufacturing plants and printing presses to prisons and power plants.

According to the DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which released the alert Monday, the Schneider Electric Quantum Ethernet Module contains multiple, hardcoded credentials, which means that an attacker could use them to bypass the device's built-in authentication mechanism and access the module's functions.

The devices can be accessed remotely in three ways: via Telnet, the Windriver Debug port, or FTP. After accessing the device, an attacker would be able to view or alter the module's firmware, execute arbitrary code, or cause a denial of service. That's a concern since the Ethernet module is designed to allow the company's Quantum PLC to communicate with other systems and devices, via an Ethernet network. As a result, an attacker could theoretically access the Ethernet module, load "trojanized firmware," then use it to attack the PLC.

[ Insecure, Internet-connected industrial control systems are a national security threat. Learn why the Next DIY Stuxnet Attack Should Worry Utilities. ]

The vulnerability was spotted by supervisory control and data acquisition (SCADA) security researcher Ruben Santamarta, who detailed the related bugs Monday in a blog post. ICS-CERT said that Santamarta had notified it of the vulnerabilities prior to publishing details about them.

Santamarta also acknowledged that he was releasing information about the bugs when no patch yet exists. "I reported it to the ICS-CERT months ago, I would like to thank the ICS-CERT and the Schneider security team, they have taken these issues very seriously and are working on a patch. During the process they have been keeping me updated on every [decision]/progress. However, [some] time ago I decided to change my disclosure policy," said Santamarta.

Santamarta said the devices' firmware, which he reverse-engineered, was built using the VxWorks operating system, which may be the world's most popular embedded operating system. But VxWorks is often debugged using the Windriver Debug (WDB) agent, and as security researcher HD Moore discovered last year, when that agent is left enabled in devices that are in the field, anyone who's able to access the device could then read the device's memory or call its functions.

Furthermore, VxWorks itself is prone to a well-known password hashing vulnerability, which means that cracking administrator passwords in firmware built with the operating system is relatively easy to do. That's what Santamarta was able to accomplish.

To date, four Schneider Electric products, each of which may be running one of a number of different versions of firmware, have the vulnerabilities: Quantum (7 versions), Premium (8 versions), M340 (4 versions), and STB DIO (3 versions). According to ICS-CERT, Schneider Electric has so far developed fixes for only the most recent versions of firmware for the Quantum and M340, but they have yet to be released. The fixes have removed the modules' Telnet and Windriver services. Accordingly, said ICS-CERT, "organizations need to evaluate the impact of removing these services prior to applying this fix."

On a related note, ICS-CERT last week warned that thousands of industrial control systems are Internet-connected, yet not secured with firewalls or strong authentication. Furthermore, these systems can often be discovered by using free search tools, such as Shodan, that scour the Internet for devices that contain embedded Web servers.

Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.