Claroty, in June, privately disclosed details on four vulnerabilities in Schneider Electric’s Modicon M221 programmable logic controller (PLC) and EcoStruxure Machine Expert Basic. The vulnerabilities could allow an advanced attacker to bypass authentication on these devices, break the encryption securing data transfers, modify code, and run commands.
Key findings include:
●Claroty discovered and privately reported four authentication and encryption vulnerabilities within the M221 PLC that could allow advanced attackers access to device code and the ability to modify code, change passwords, and control the device.
●Schneider Electric has recommended mitigations for these security issues, which affect M221 V220.127.116.11 and earlier and EcoStruxure Machine Expert, Basic, V1.0 SP2 and earlier.
●Modicon M221 PLCs are used in multiple industries and are low-cost devices made to control basic automation for machines.
●An attacker would have to establish a presence on an OT network in order to exploit these vulnerabilities.
●An attacker would need to capture network traffic between the Modicon M221 PLC and EcoStruxure Machine Expert Basic to understand the device’s authentication mechanisms and the encryption protecting it.
●Weak encryption implementations could easily be cracked by an adversary in order to authenticate to the PLC.
●Schneider Electric has evolved the security of these devices since 2017 as more of them are used inside organizations where IT-OT convergence is happening and more equipment is connected to the internet.
Biannual ICS Risk & Vulnerability report, published in August, shines a harsh light on this evolving dynamic, uncovering alarming trends around vulnerabilities in ICS software, most notably that seven of 10 flaws disclosed during the first half of the year were remotely exploitable.
Some providers are adapting quicker than others, however. Vendors such as Schneider Electric and Rockwell Automation, for example, have built extensive security teams and have developed vulnerability disclosure programs that facilitate important relationships between researchers and vendors, in addition to improving the integrity, safety, and reliability of industrial devices.
Recently, Claroty researchers privately disclosed four authentication and encryption vulnerabilities in Schneider Electric’s Modicon M221 programmable logic controller (PLC) (all versions), and in its EcoStruxure Machine Expert, Basic (all versions). Mitigations are available from Schneider, and some details about the flaws are being released here today.
Schneider Electric’s mitigations include a recommendation to set up network segmentation and implement a firewall to block unauthorized access to TCP port 502. Schneider also recommends that users disable unused protocols, especially the Programming protocol, within the Modicon M221 application.
Here are details of the CVEs from the timeline above related to Schneider’s M221 authentication mechanism that have been patched prior to today:
●CVE-2017-7574: Use Of Hard-Coded Cryptographic Key
●CVE-2017-7575: Protection Mechanism Failure – Discover Password
●CVE-2018-7789: Improper Check for Unusual or Exceptional Conditions – Unauthenticated reboot
●CVE-2018-7790: Information Management Errors – Authentication Replay Attack
●CVE-2018-7791: Permissions, Privileges, and Access Controls – Overwrite Password
●CVE-2018-7792: Permissions, Privileges, and Access Controls – Decode Password
●CVE-2018-7798: Insufficient Verification of Data Authenticity – Change Network Parameters
New Vulnerabilities Enable Authentication Bypass
The latest disclosures from Claroty address some shortcomings found in those security measures implemented over the years. The vulnerabilities reported to Schneider on June 10 can only be exploited by an attacker who already has a foothold on an OT network or ICS device.
For example, an attacker could capture network traffic between the Modicon M221 PLC and the EcoStruxure Machine Expert Basic software that includes upload and download data or successful authentication attempts. This data is encrypted using a 4-byte XOR key, which is a weak encryption method.
The XOR key can be deduced using known-plaintext attacks (comparing known sections in memory to their respected encrypted counterparts) or even statistical analysis of the data, since it contains an abundance of NULL bytes. Data such as read-write password hashes is transferred using the weak encryption mechanism, and therefore can be extracted and passed in Pass-the-Hash attacks to authenticate an attacker to the PLC. This works because only the hash is used in authentication exchanges. From there, an attacker can execute privileged commands, such as uploading malicious updates or code to a PLC or downloading information from the device.
An example of a read command encrypted using the 4-byte XOR key. Using statistical analysis the key can be guessed, by seeing the repeating sequence, due to the fact that it’s encrypting null bytes.
Claroty researchers also discovered cryptographic implementation vulnerabilities in the key-exchange mechanism; in this case, the Diffie-Hellman key-exchange method is used to create a 4-byte XOR key for encryption of the read-write data and password hashes during the authentication phase (a different XOR key is used for each case).
Both sides generate a 4-byte secret, and use Diffie-Hellman to create a shared secret: the 4-byte XOR key. As mentioned above, a 4-byte XOR key is a weak data encryption method. But the bigger issue here is the key-exchange method itself.
Diffie-Hellman’s strength lies in the fact that it is virtually impossible to calculate the secret from the transferred information, due to the discrete logarithm problem. Meaning, if the secret has N bytes and therefore 28×N possibilities, (an order of) each possibility must be checked. For a 16-byte secret, for example, that amounts to about 1038 possibilities. But in our case, there are only 4 bytes, resulting in only 4.29×109 possibilities, meaning it is possible to deduce the secret from the transferred data using a brute-force/rainbow table attack.
Claroty research shows how attackers can build a precomputed rainbow table to crack a Diffie-Hellman key exchange quickly and efficiently
An attacker who is able to capture enough traffic should be able to deduce the client-side or server-side secret in either exchange and would be able to break encrypted read-write commands and the encrypted password hashes. This puts the entire key-exchange mechanism at risk.
Modicon M221 PLCs are used in multiple industries, and an advanced attacker with some knowledge of the authentication mechanism in place and the cryptographic implementations in place could exploit these flaws and put processes at risk.
Here is a summary of the four vulnerabilities:
Related CWEs: CWE-326: Inadequate Encryption Strength—Read/Write encryption uses a 4-byte XOR key for data encryption, a weak implementation that can be broken using a known plaintext attack where data may be read in certain memory regions without authentication, or statistical analysis of repetitive sequences of XOR keys in traffic.
Related CWE-334: Small Space of Random Values—A weak key exchange method or read/write encryption where a too small of a Diffie-Hellman secret is used and the 4-byte XOR key can be uncovered.
Related CWE-311: Missing Encryption of Sensitive Data—Password hashes can be uncovered in upload-download communications between the PLC and the EcoStruxure Machine Expert Basic software. An attacker who is able to deduce the XOR key using another of these vulnerabilities may use that same key to find the password hash and use a Pass-the-Hash attack to authenticate themselves to the PLC.
Related CWE-200: Exposure of Sensitive Information to an Unauthorized Actor—Some sections or memory are readable without entering a password, even if read and write protections are activated.
Claroty would also like to thank Schneider for its collaboration and partnership in addressing these vulnerabilities.