Security Experts:

Another Stuxnet-Style Vulnerability Found in Schneider Electric Software

Researchers have found another vulnerability in software made by Schneider Electric that is similar to the one exploited by the notorious Stuxnet malware.

Stuxnet, the malware used a decade ago by the United States and Israel to cause damage to Iran’s nuclear program, was designed to target Siemens’ SIMATIC S7-300 and S7-400 programmable logic controllers (PLCs). The malware loaded malicious code onto targeted PLCs by replacing a DLL file associated with the Siemens STEP7 controller programming software.

In March, Airbus Cybersecurity reported that it had identified a similar vulnerability in Schneider Electric’s EcoStruxure Control Expert engineering software, formerly known as Unity Pro. The flaw, tracked as CVE-2020-7475, can be exploited to upload malicious code to Modicon M340 and M580 PLCs by replacing one of the DLL files associated with the engineering software, which could lead to process disruptions and other damage.Modicon PLC vulnerability

Researchers at cybersecurity firm Trustwave reported on Thursday that they too have identified a similar vulnerability in Schneider software, specifically EcoStruxure Machine Expert (formerly known as SoMachine), which allows users to develop projects on Modicon M221 controllers.

The second flaw, tracked as CVE-2020-7489, has roughly the same description in Schneider’s advisory as CVE-2020-7475 and the same CVSS score of 8.2 — this means they are high-severity vulnerabilities.

Schneider has released patches for both vulnerabilities, but noted in the advisory for the first security hole that products from other vendors could also be vulnerable to these types of attacks.

Karl Sigler, senior security research manager at Trustwave’s SpiderLabs, told SecurityWeek that exploitation of CVE-2020-7489 requires access to the environment hosting the SoMachine software and the targeted PLC.

“For the SoMachine DLL injection vulnerability specifically (CVE-2020-7489) the attacker would need to perform the injection using the same user context as a local user authorized to run the software,” Sigler explained. “Administrative access would not be necessary unless SoMachine is installed and locked down for administrative accounts. While these systems might be air-gapped, we’ve seen in Stuxnet that this is not necessarily a barrier for exploitation.”

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Trustwave researchers also made an interesting discovery related to an old vulnerability affecting Schneider Electric software.

In 2017, the vendor informed customers of CVE-2017-6034, a critical vulnerability that allowed hackers to send run, stop, upload and download commands to a PLC using a replay attack.

Trustwave researchers discovered last year that an attack could still be launched by leveraging an existing session between EcoStruxure Machine Expert and the PLC. As a result of Trustwave’s findings, Schneider updated its original advisory in August 2019.

“The original CVE-2017-6034 vulnerability allowed for packet capture and replay to the PLC. For instance a packet with the ‘Stop’ command sent to the PLC could be replayed by an attacker to stop the PLC at any time,” Sigler explained. “While this replay vulnerability was patched in 2017, Trustwave discovered that the attack could still be performed as long as the attacker was piggybacking on top of an existing session between the control software and the PLC. In other words, while the packet replay vulnerability was patched, a man-in-the-middle attack could still be performed accomplishing the same misuse of the PLC.”

Related: Cisco Finds 11 Vulnerabilities in Schneider Electric Modicon Controllers

Related: Schneider Electric Patches Vulnerabilities in Modicon, EcoStruxure Products

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.