Schneider Electric created a mitigation to correct an issue in its Unity Pro software application which manages and programs industrial controllers, according to a report from security provider, Indegy Labs.
The vulnerability in Unity Pro could allow any user to remotely execute code directly on any computer on which this product is installed, in debug privileges. The vulnerable software tool is present in every control network in the world that uses Schneider-Electric controllers.
Mille Gandelsman, CTO of Indegy conducted a presentation Tuesday at the 2016 Industrial Control Systems Cyber Security Conference in Atlanta where he disclosed a SCADA security vulnerability that enables attackers to remotely control industrial equipment and processes. This report is an excerpt from a blog post from Gandelsman and Avihay Kain, from Indegy R&D.
Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers end up deployed, this software will be used on the engineering workstations. This makes this attack possible across virtually any process controlled by these PLCs, the researchers said.
Schneider Electric has developed a mitigation of its product.
The Unity Pro software platform runs on Microsoft Windows machines. The vulnerability found affects all versions of this software, including the latest one. It resides in one of its components named Unity Pro PLC Simulator, Gandelsman said. The component tests industrial controllers’ code prior to executing it on the controllers themselves. The control code projects are compiled as x86 instructions and loaded onto the PLC Simulator using a proprietary format named “apx.”
The overall CVSS Score is 7.5.
Since these x86 instructions are later executed as is by the simulator, an attacker can direct their control flow to execute arbitrary malicious code. As bothersome as this might sound (being a somewhat classical data/code mixture), the issue is receiving .apx files from a remote location to execute them on the simulator is natively supported by the Unity Pro software platform, Gandelsman said.
To implement the attack, no patching of the simulator process at any stage is needed, only the .apx file is being patched. To build such an .apx file, the attacker needs to create a large project file with enough random binary PLC code, and then replace it with the combination of bridgehead shellcode and malicious payload, Gandelsman said. To preserve the integrity of the file, the attacker then needs to overcome several checksum calculations. Finally, the specially crafted project file is downloaded to the simulator remotely over a TCP port, which is open by default. There are few available implementations allowing one to download an .apx file to a simulator or a controller without wrapping it with the file format used by Unity Pro (though this path could be taken as well, which will result in a weaker attack). The latter is done by imitating Unity Pro’s communication protocol with the controllers.
The vulnerability in the simulator component of Unity Pro enables attackers to natively access industrial controllers and use a manipulated .apx file to execute malicious code, Gandelsman said. Since the delivery of the .apx file is an engineering control-plane activity, executed over a proprietary protocol, it is difficult to identify and detect.
The use of proprietary protocols for control-plane activities is a common yet misunderstood practice in ICS networks. Unlike IT networks where data-plane and control-plane activities are executed over the same communication protocols, in ICS networks different protocols are used for these activities.
Widely known protocols like MODBUS, PROFINET and DNP3, are all data-plane protocols. However, this is not where dangerous manipulations to ICS/SCADA networks and industrial controllers take place. The control-plane activities, which include all engineering and management activities performed on controllers (PLCs, RTUs) are executed over proprietary, vendor specific protocols which are unnamed, undocumented, and unmonitored, Gandelsman said.
To identify such attacks and ensure the integrity of critical control devices, the proprietary control-plane protocols of ICS networks must be monitored.
Mitigation of this vulnerability is realized with the following points:
• From Unity PRO V11.1 version, by default, it is not possible to launch simulator without any Unity PRO application associated
• It is up to user to select the Unity PRO default application to be launched by the simulator, and to protect this application program by a password
• Once the password protected application has been loaded onto the simulator, then it is not possible to load or to modify this application without being authenticated
Schneider offered one important note: It is up to user responsibility to protect his application by a proper password.