Major Vulnerability Found In Schneider Electric Unity Pro

rankhornjp · Oct 26, 2016

Article: https://threatpost.com/major-vulnerability-found-in-schneider-electric-unity-pro/121550/

From Schneider: http://www.schneider-electric.com/ww/en/download/document/SEVD-2016-288-01

The vulnerability is arbitrary code execution made possible by remotely downloading a patched project file to the Unity Simulator.

rootboy · Oct 26, 2016

I'm not bringing this up to rag on Schneider, I have nothing but good memories of my time there. But when I worked for Schneider, I was helping out a new engineer who couldn't get logged into a power monitor. He had tried updating the password, but the unit just wasn't having it.

He had Wireshark running, and he had found a string containing some ASCII characters. I took a look in the manual, and sure enough, there was a shot of that string as an example login. I said, try that, and sure enough, it worked.

It turned out that not only did the unit have a well publicized backdoor (it was right there in the manual after all), there was no way of changing it.

The development team in Canada was not amused when we pointed this out. Even less so when they were forced to fix it.

And again, this isn't meant as a slam on Schneider, they were a great company to work for. It's just that something better came up, and I took it.

RheinhardtP · Oct 27, 2016

Thanks for the share. Has a pretty big impact for some of our big clients...

rootboy · Oct 27, 2016

RheinhardtP said:
Thanks for the share. Has a pretty big impact for some of our big clients...

I was listening to NPR today about the IOT hack, and some researcher from the UK mentioned in his list of things that got hacked, "Power Monitors". That's when I said uh-oh...

Were you affected by the IOT hack (Dyn)? The IOT hack is only notable in its size, it's hardly something new.

https://www.wired.com/2015/12/2015-the-year-the-internet-of-things-got-hacked/

The last line of the article is prescient:

"But for those whose product can kill—whether a gun, a medical implant, or a car—let’s hope the lesson is taken more seriously in 2016."

-------------------------------------------------Waaay off topic zone-----------------------------------------

Shameless plug time:

If any of y'all are in Nashville on Nov 4th - 6th, come on down and check out PhreakNIC!

One of the talks this year is going to be on Scada and PLCs:

"Protecting SCADA, PLCs and automation controls - Steve Mallard"

Topical...

RheinhardtP · Oct 27, 2016

Read the same article,

Even with all the noise being made in the industry i see little being done about it.. Im just waiting for a serious ICS Hack.

Stuxnet should have been the warning sign for all big companies, im afraid it did very little to convince engineers their processes are vulnerable.

Saffa · Oct 27, 2016

Even more reason to ensure your perimeter security is up to scratch.

Segregate your control and corporate networks. Firewalls mandatory. Test your rules work.

Its a PITA, but don't leave your engineering work stations logged on, use limited access accounts where possible.

ganutenator · Oct 27, 2016

Am I still vulnerable even though I don't have the development software on any of my machine hmi"s and my ip isn't public?

ganutenator · Oct 27, 2016

what if I have port 502 open?

ganutenator · Oct 27, 2016

belay me last. If I have port 502 open I am ****ed.

RheinhardtP · Nov 11, 2016

ganutenator said:
belay me last. If I have port 502 open I am ****ed.

Yes indeed,

After talking with some security experts in the business.....

So have some challenges with the recommended fix from Schneider, we have 14 sites all on different software versions of unity. Upgrading all the versions to 11.1 is NOT an option just yet..

The route we will take is to blacklist the simulator program on all Production related machines.
You can also rename it or delete it. OK now you have no more simulator.

I think we will create a sandbox with Unity that is properly isolated for engineers that want to use the simulator software.

Some things i am not yet clear about......

What is the impact to the controller? or my Production system?

Has anyone got more information on this?

V0N_hydro · Nov 12, 2016

or just don't run programs in .stu format from people you don't trust in the simulator? People who are savvy enough to program a PLC should be able to understand this issue exists and avoid it.

If somehow a .stu they trust gets modified on their hard drive to have the break out of simulator and install rootkit payload they were already pwned anyway if something is able to modify their files.

RheinhardtP · Nov 16, 2016

V0N_hydro said:
or just don't run programs in .stu format from people you don't trust in the simulator? People who are savvy enough to program a PLC should be able to understand this issue exists and avoid it.

If somehow a .stu they trust gets modified on their hard drive to have the break out of simulator and install rootkit payload they were already pwned anyway if something is able to modify their files.

Oh trust me i believe what you are saying....

However we are managing around 1000+ PLCs in our organisation and have roughly 250+ Workstation with many different versions of Unity installed.

In this environment you cannot trust people, you need to trust the systems that you put in place to mitigate the risks.

Major Vulnerability Found In Schneider Electric Unity Pro

rankhornjp

Member

rootboy

Lifetime Supporting Member

RheinhardtP

Lifetime Supporting Member + Moderator

rootboy

Lifetime Supporting Member

RheinhardtP

Lifetime Supporting Member + Moderator

Saffa

Member

ganutenator

Lifetime Supporting Member

ganutenator

Lifetime Supporting Member

ganutenator

Lifetime Supporting Member

RheinhardtP

Lifetime Supporting Member + Moderator

V0N_hydro

Member

RheinhardtP

Lifetime Supporting Member + Moderator

Similar Topics