sb-eu logo
Story image

Claroty finds four vulnerabilities in Schneider Electric OT device

19 Nov 2020

Claroty and Schneider Electric have announced mitigations for four vulnerabilities in Schneider Electric’s Modicon M221 programmable logic controller (PLC), as well as the EcoStruxure Machine Expert Basic.

The M221 is a device that provides basic automation capabilities for machines, and it is often found in industrial sectors such as energy and manufacturing.

The unmitigated vulnerabilities could give an attacker access to the device, enabling the attacker to break encryption, modify code, and run certain commands.

Claroty researchers Yehuda Anikster and Rei Henigman explain that the attacker would need to have already gained access to an operational technology (OT) network to exploit these vulnerabilities, and would also need to capture traffic between the PLC and EcoStruxure Machine Expert Basic.

Claroty acknowledges that Schneider Electric does what it can to keep the Modicon M221 secure with password hashes, server-side authentication and stronger encryption.
However, Schneider Electric’s efforts have not been flawless - Anikster and Henigman describe these as ‘shortcomings’.

The four most recent vulnerabilities include:

  • CVE-2020-7565 (Related CWE-326: Inadequate Encryption Strength)
  • CVE-2020-7566 (Related CWE-334: Small Space of Random Values)
  • CVE-2020-7567 (Related CWE-311: Missing Encryption of Sensitive Data)
  • CVE-2020-7568 (Related CWE-200: Exposure of Sensitive Information to an Unauthorised Actor)

Researchers explain that an attacker could capture traffic between the PLC and EcoStruxure Machine Expert Basic - traffic that could include upload and download data, as well as successful authentications. The data is encrypted using a four-byte XOR key, which is considered to be a weak method of encryption.
An XOR key can be exploited through known-plaintext attacks and statistical analysis.

“ta such as read-write password hashes is transferred using the weak encryption mechanism, and therefore can be extracted and passed in Pass-the-Hash attacks to authenticate an attacker to the PLC. This works because only the hash is used in authentication exchanges. From there, an attacker can execute privileged commands, such as uploading malicious updates or code to a PLC or downloading information from the device,” the researchers explain.

Furthermore, there are also cryptographic implementation vulnerabilities located within the key exchange mechanism, which is designed in a way that makes decryption possible if an attacker used a brute force or rainbow table attack.

“An attacker who is able to capture enough traffic should be able to deduce the client-side or server-side secret in either exchange and would be able to break encrypted read-write commands and the encrypted password hashes. This puts the entire key-exchange mechanism at risk,” researchers say.

Schneider Electric also suggests that any organisation using the M221 device should: implement a firewall that blocks unauthorised access to TCP port 502; set up network segmentation; and disable unused protocols, such as the Programming protocol in the Modicon M221 application.

Story image
Hornetsecurity acquires Altaro, the latest in acquisition spree
The move is a culmination of a medley of acquisitions made by Hornetsecurity recently, following the January 2019 acquisition of Spamina, a Spanish cloud email security company, as well as EveryCloud, its British market partner, in early 2020.More
Story image
Entrust acquires HyTrust, with aim to improve data encryption solutions
Entrust says the acquisition will bolster its effort to deliver data protection and compliance solutions to its customers, while accelerating their digital transformations.More
Story image
CompTIA forms Cybersecurity Advisory Council, led by 16 security execs
The new body will be co-chaired by Tech Data director of security solutions Tracy Holtz, and Alvaka Networks chief operating officer and chief information security officer Kevin McDonald.More
Story image
Check Point exposes Android malware vendor using dark net to rebrand products
Check Point security researchers have exposed an Android malware vendor using a marketer on the dark net to rebrand its products, with the intention of supercharging business and throwing off security vendors. More
Story image
Palo Alto Networks advances attack surface management with Expanse
"By integrating Expanse's attack surface management capabilities into Cortex after closing, we will be able to offer the first solution that combines the outside view of an organisation's attack surface with an inside view to proactively address all security threats."More
Story image
Emotet remains leading malware in global threat index
The malware has impacted 7% of organisations globally, following a spam campaign which targeted more than 100,000 users per day during the holiday season.More