Vulnerability in the management software allows you to flash controllers Schneider Electric
Researchers have discovered a vulnerability in the software used to develop and deploy code on Schneider Electric industrial controllers. Malefactors can use an error for remote code execution.
The vulnerable system is called Unity Pro and runs on a PC under Windows; it turns on a simulator to test the code before deploying it to programmable logic controllers (Programmable Logic Controllers, PLC). These devices are used in factories, factories and infrastructure to monitor and control the mechanical processes of industrial equipment - opening and closing valves, rotating engines, etc.
Indegy researchers at the end of October 2016 discovered the possibility of remote code execution on Windows workstations with the Unity Pro PLC simulator installed. The code runs with debugger privileges, which leads to a complete compromise of the system.
The Unity Pro system is usually installed at the engineers' workstation, which means that having access to them will allow attackers to reprogram controllers running on real industrial facilities and enable them to influence the critical processes of the facility. In addition, it opens up opportunities for the theft of intellectual property — for example, data on products being developed or tested.
')
According to researchers, the Unity Pro PLC simulator opens a network service on a workstation that listens to a specific TCP port and allows remote computers to send control codes in a special format. Any computer that can interact with the simulator over the network will also be able to send .apx files — they are executed by the simulator without authentication. The simulator supports binary formats for various Schneider Electric PLCs, including those running on the x86 architecture.
Indegy experts managed to compile an .apx file containing x86 instructions that the simulator executed in a descendant process . The problem is that this process works with the privileges of the debugger, which allows you to do whatever you want with the computer, since “getting out of this process is easy - there are no sandboxes or code isolation,” Computerworld quoted one of the researchers. Even with firewalls separating the PLC from the rest of the network, engineering workstations will always be on their white lists and will be able to interact with the system — that is their main task.
According to the security bulletin issued by Schneider Electric, there is at least one factor limiting the possibility of conducting a real attack - it can be carried out only if another program is not running inside the PLC simulator or if the application is not password protected.
The new version of Unity Pro 11.1 will not allow the simulator to run without an associated application. However, the user will be able to choose whether to activate this setting and set the password for access to the system, the bulletin says.
The second limiting factor is that an attacker needs to gain access to a computer that is inside the network and can communicate with the workstation on which Unity Pro software is installed. Such access can be obtained in a number of ways - from conducting a phishing attack using malicious software to using insiders at an industrial facility.
Positive Technologies experts have repeatedly found vulnerabilities in Schneider Electric products: in 2014, bugs in the software for building SCADA systems WIS SP1 Portal were fixed , and in 2015, in InTouch Machine Edition 2014. In addition, a large number of errors were found in the company's software. participants of the Critical Infrastructure Attack competition, which was held at the Positive Hack Days IV international security forum. Schneider Electric thanked the winner of the competition Alisa Shevchenko for the vulnerabilities found.
PS We remind you that very soon, with the support of Positive Technologies, Moscow will take a course on asyncio + aiohttp from Core developer Python Andrei Svetlov.
We want to offer one free ticket to the seminar to the author of the best question for Andrei - the question he chooses himself and will answer it during the course. Send your questions to: asyncio2016@ptsecurity.com .
What is the problem
The vulnerable system is called Unity Pro and runs on a PC under Windows; it turns on a simulator to test the code before deploying it to programmable logic controllers (Programmable Logic Controllers, PLC). These devices are used in factories, factories and infrastructure to monitor and control the mechanical processes of industrial equipment - opening and closing valves, rotating engines, etc.
Indegy researchers at the end of October 2016 discovered the possibility of remote code execution on Windows workstations with the Unity Pro PLC simulator installed. The code runs with debugger privileges, which leads to a complete compromise of the system.
The Unity Pro system is usually installed at the engineers' workstation, which means that having access to them will allow attackers to reprogram controllers running on real industrial facilities and enable them to influence the critical processes of the facility. In addition, it opens up opportunities for the theft of intellectual property — for example, data on products being developed or tested.
')
According to researchers, the Unity Pro PLC simulator opens a network service on a workstation that listens to a specific TCP port and allows remote computers to send control codes in a special format. Any computer that can interact with the simulator over the network will also be able to send .apx files — they are executed by the simulator without authentication. The simulator supports binary formats for various Schneider Electric PLCs, including those running on the x86 architecture.
Indegy experts managed to compile an .apx file containing x86 instructions that the simulator executed in a descendant process . The problem is that this process works with the privileges of the debugger, which allows you to do whatever you want with the computer, since “getting out of this process is easy - there are no sandboxes or code isolation,” Computerworld quoted one of the researchers. Even with firewalls separating the PLC from the rest of the network, engineering workstations will always be on their white lists and will be able to interact with the system — that is their main task.
How to protect
According to the security bulletin issued by Schneider Electric, there is at least one factor limiting the possibility of conducting a real attack - it can be carried out only if another program is not running inside the PLC simulator or if the application is not password protected.
The new version of Unity Pro 11.1 will not allow the simulator to run without an associated application. However, the user will be able to choose whether to activate this setting and set the password for access to the system, the bulletin says.
The second limiting factor is that an attacker needs to gain access to a computer that is inside the network and can communicate with the workstation on which Unity Pro software is installed. Such access can be obtained in a number of ways - from conducting a phishing attack using malicious software to using insiders at an industrial facility.
Positive Technologies experts have repeatedly found vulnerabilities in Schneider Electric products: in 2014, bugs in the software for building SCADA systems WIS SP1 Portal were fixed , and in 2015, in InTouch Machine Edition 2014. In addition, a large number of errors were found in the company's software. participants of the Critical Infrastructure Attack competition, which was held at the Positive Hack Days IV international security forum. Schneider Electric thanked the winner of the competition Alisa Shevchenko for the vulnerabilities found.
You can learn more about securing industrial systems (Industrial Control Systems) using the PT Industrial Security Incident Manager product on December 1 at 14:00 at our free webinar. His host is Oleg Matykov, head of product development for the protection of applications and industrial networks of Positive Technologies.
Register for the webinar here .
PS We remind you that very soon, with the support of Positive Technologies, Moscow will take a course on asyncio + aiohttp from Core developer Python Andrei Svetlov.
We want to offer one free ticket to the seminar to the author of the best question for Andrei - the question he chooses himself and will answer it during the course. Send your questions to: asyncio2016@ptsecurity.com .
Source: https://habr.com/ru/post/316548/
All Articles