Claroty finds four vulnerabilities in Schneider Electric OT device

Claroty and Schneider Electric have announced mitigations for four vulnerabilities in Schneider Electric’s Modicon M221 programmable logic controller (PLC), as well as the EcoStruxure Machine Expert Basic.

The M221 is a device that provides basic automation capabilities for machines, and it is often found in industrial sectors such as energy and manufacturing.

The unmitigated vulnerabilities could give an attacker access to the device, enabling the attacker to break encryption, modify code, and run certain commands.

Claroty researchers Yehuda Anikster and Rei Henigman explain that the attacker would need to have already gained access to an operational technology (OT) network to exploit these vulnerabilities, and would also need to capture traffic between the PLC and EcoStruxure Machine Expert Basic.

Claroty acknowledges that Schneider Electric does what it can to keep the Modicon M221 secure with password hashes, server-side authentication and stronger encryption.

However, Schneider Electric’s efforts have not been flawless – Anikster and Henigman describe these as ‘shortcomings’.

The four most recent vulnerabilities include:

  • CVE-2020-7565 (Related CWE-326: Inadequate Encryption Strength)
  • CVE-2020-7566 (Related CWE-334: Small Space of Random Values)
  • CVE-2020-7567 (Related CWE-311: Missing Encryption of Sensitive Data)
  • CVE-2020-7568 (Related CWE-200: Exposure of Sensitive Information to an Unauthorised Actor)

Researchers explain that an attacker could capture traffic between the PLC and EcoStruxure Machine Expert Basic – traffic that could include upload and download data, as well as successful authentications. The data is encrypted using a four-byte XOR key, which is considered to be a weak method of encryption.

An XOR key can be exploited through known-plaintext attacks and statistical analysis.

“Read-write password hashes are transferred using the weak encryption mechanism, and therefore can be extracted and passed in Pass-the-Hash attacks to authenticate an attacker to the PLC. This works because only the hash is used in authentication exchanges. From there, an attacker can execute privileged commands, such as uploading malicious updates or code to a PLC or downloading information from the device,” the researchers explain.

Furthermore, there are also cryptographic implementation vulnerabilities located within the key exchange mechanism, which is designed in a way that makes decryption possible if an attacker used a brute force or rainbow table attack.

“An attacker who is able to capture enough traffic should be able to deduce the client-side or server-side secret in either exchange and would be able to break encrypted read-write commands and the encrypted password hashes. This puts the entire key-exchange mechanism at risk,” researchers say.

Schneider Electric also suggests that any organisation using the M221 device should: implement a firewall that blocks unauthorised access to TCP port 502; set up network segmentation; and disable unused protocols, such as the Programming protocol in the Modicon M221 application.

About Schneider Electric

Schneider Electric is leading the Digital Transformation of Energy Management and Automation in Homes, Buildings, Data Centers, Infrastructure and Industries. With global presence in over 100 countries, Schneider is the undisputable leader in Power Management – Medium Voltage, Low Voltage and Secure Power, and in Automation Systems. We provide integrated efficiency solutions, combining energy, automation and software. In our global Ecosystem, we collaborate with the largest Partner, Integrator and Developer Community on our Open Platform to deliver real-time control and operational efficiency. We believe that great people and partners make Schneider a great company and that our commitment to Innovation, Diversity and Sustainability ensures that Life Is On everywhere, for everyone and at every moment.

#SchneiderElectric #SchneiderNews #Schneider

Media Contact
Company Name: ABC Private Limited
Contact Person: Media Relations
Email: Send Email
Phone: 8745857610
Country: India
Website: https://www.se.com/in/en/