Claroty, Schneider Electric Disclose Modicon M221 Authentication Bypass Flaws

 

By Yehuda Anikster and Rei Henigman | November 10, 2020

 

Executive Summary

Claroty, in June, privately disclosed details on four vulnerabilities in Schneider Electric’s Modicon M221 programmable logic controller (PLC) and EcoStruxure Machine Expert Basic. The vulnerabilities could allow an advanced attacker to bypass authentication on these devices, break the encryption securing data transfers, modify code, and run commands.

Key findings include:
  • Claroty discovered and privately reported four authentication and encryption vulnerabilities within the M221 PLC that could allow advanced attackers access to device code and the ability to modify code, change passwords, and control the device.
  • Schneider Electric has recommended mitigations for these security issues, which affect M221, all versions, and EcoStruxure Machine Expert Basic, all versions.
  • Modicon M221 PLCs are used in multiple industries and are low-cost devices made to control basic automation for machines.
  • An attacker would have to establish a presence on an OT network in order to exploit these vulnerabilities.
  • An attacker would need to capture network traffic between the Modicon M221 PLC and EcoStruxure Machine Expert Basic to understand the device’s authentication mechanisms and the encryption protecting it.
  • Weak encryption implementations could easily be cracked by an adversary in order to authenticate to the PLC.
  • Schneider Electric has evolved the security of these devices since 2017 as more of them are used inside organizations where IT-OT convergence is happening and more equipment is connected to the internet.

Introduction

Digital transformation is dragging operational technology (OT) networks from behind the protective curtain of air-gaps into the connected world. And while IT and OT steam ahead toward convergence and industrial processes modernize, the security of many industrial control devices still lag from a time when it was impossible to reach internal OT networks without physical access.

Claroty’s Biannual ICS Risk & Vulnerability Report, published in August, shines a harsh light on this evolving dynamic, uncovering alarming trends around vulnerabilities in ICS software, most notably that seven of 10 flaws disclosed during the first half of the year were remotely exploitable.

Some providers are adapting quicker than others, however. Vendors such as Schneider Electric and Rockwell Automation, for example, have built extensive security teams and have developed vulnerability disclosure programs that facilitate important relationships between researchers and vendors, in addition to improving the integrity, safety, and reliability of industrial devices.

Recently, Claroty researchers privately disclosed four authentication and encryption vulnerabilities in Schneider Electric’s Modicon M221 programmable logic controller (PLC) (all versions), and in its EcoStruxure Machine Expert, Basic (all versions). Mitigations are available from Schneider, and some details about the flaws are being released here today.

Schneider Electric’s mitigations include a recommendation to set up network segmentation and implement a firewall to block unauthorized access to TCP port 502. Schneider also recommends that users disable unused protocols, especially the Programming protocol, within the Modicon M221 application.

M221’s Security Authentication History

Modicon PLCs predate by decades today’s IT-OT convergence and the need to secure connected devices. Modicon was the first PLC, developed in 1968 in the U.S.; the company was a spin-off of Bedford Associates which developed the PLC for GM Hydramatic. In 1977, Gould Electronics acquired Modicon, then sold it to AEG in 1989. AEG and Schneider Group merged in 1994 as AEG Schneider Automation before in 1996 becoming solely owned by Schneider and renamed Schneider Electric in 1999.

Schneider has been vigilant about the security of the Modicon M221, dating back to 2017 and 2018 when a number of authentication and encryption vulnerabilities were disclosed and addressed that could put credentials at risk on the device. At one stage of the product’s development, for example, authentication was limited to just a client-side password check that was put in place solely to prevent unauthorized personnel from making modifications to the PLC. The password information, by the way, was transmitted in clear text.

An older version of SoMachine Basic 1.4 SP1 interface with Application Protection, and the Wireshark PCAP with the plaintext client-side verified password transmitted from the server.

An older version of SoMachine Basic 1.4 SP1 interface with Application Protection, and the Wireshark PCAP with the plaintext client-side verified password transmitted from the server.

With each new vulnerability disclosure in the M221, the security of the product improved with Schnedier remediating issues in a timely manner as they were disclosed. The result is that in subsequent versions, password hashes have replaced clear-text passwords, server-side authentication has been added, and key exchanges and data are encrypted.

In recent versions, read and write password commands are present but can be used only by sending an encrypted message containing the password’s hash beforehand. Without entering the password, only selected sections of the data are readable. The encrypted hash is sent using the subfunction 0x6d (private) with subtypes 6 and 7 (for read and write passwords, respectively).

The new EcoStruxure MachineExpert Basic 1.0 SP2 interface with write protection, and the Wireshark PCAP with the relevant Diffie-Hellman key exchange and write-password authentication.

The new EcoStruxure MachineExpert Basic 1.0 SP2 interface with write protection, and the Wireshark PCAP with the relevant Diffie-Hellman key exchange and write-password authentication.

CVEs Timeline

Here are details of the CVEs from the timeline above related to Schneider’s M221 authentication mechanism that have been patched prior to today:

  • CVE-2017-7574: Use Of Hard-Coded Cryptographic Key
  • CVE-2017-7575: Protection Mechanism Failure – Discover Password
  • CVE-2018-7789: Improper Check for Unusual or Exceptional Conditions – Unauthenticated Reboot
  • CVE-2018-7790: Information Management Errors – Authentication Replay Attack
  • CVE-2018-7791: Permissions, Privileges, and Access Controls – Overwrite Password
  • CVE-2018-7792: Permissions, Privileges, and Access Controls – Decode Password
  • CVE-2018-7798: Insufficient Verification of Data Authenticity – Change Network Parameters

New Vulnerabilities Enable Authentication Bypass

The latest disclosures from Claroty address some shortcomings found in those security measures implemented over the years. The vulnerabilities reported to Schneider on June 10 can only be exploited by an attacker who already has a foothold on an OT network or ICS device.

For example, an attacker could capture network traffic between the Modicon M221 PLC and the EcoStruxure Machine Expert Basic software that includes upload and download data or successful authentication attempts. This data is encrypted using a 4-byte XOR key, which is a weak encryption method.

The XOR key can be deduced using known-plaintext attacks (comparing known sections in memory to their respected encrypted counterparts) or even statistical analysis of the data, since it contains an abundance of NULL bytes. Data such as read-write password hashes is transferred using the weak encryption mechanism, and therefore can be extracted and passed in Pass-the-Hash attacks to authenticate an attacker to the PLC. This works because only the hash is used in authentication exchanges. From there, an attacker can execute privileged commands, such as uploading malicious updates or code to a PLC or downloading information from the device.

An example of a read command encrypted using the 4-byte XOR key. Using statistical analysis the key can be guessed, by seeing the repeating sequence, due to the fact that it’s encrypting null bytes.

An example of a read command encrypted using the 4-byte XOR key. Using statistical analysis the key can be guessed, by seeing the repeating sequence, due to the fact that it’s encrypting null bytes.

Claroty researchers also discovered cryptographic implementation vulnerabilities in the key-exchange mechanism; in this case, the Diffie-Hellman key-exchange method is used to create a 4-byte XOR key for encryption of the read-write data and password hashes during the authentication phase (a different XOR key is used for each case).

Both sides generate a 4-byte secret, and use Diffie-Hellman to create a shared secret: the 4-byte XOR key. As mentioned above, a 4-byte XOR key is a weak data encryption method. But the bigger issue here is the key-exchange method itself.

Diffie-Hellman’s strength lies in the fact that it is virtually impossible to calculate the secret from the transferred information, due to the discrete logarithm problem. Meaning, if the secret has N bytes and therefore 2(8×N) possibilities, (an order of) each possibility must be checked. For a 16-byte secret, for example, that amounts to about 1038 possibilities. But in our case, there are only 4 bytes, resulting in only 4.29×109 possibilities, meaning it is possible to deduce the secret from the transferred data using a brute-force/rainbow table attack.

Claroty research shows how attackers can build a precomputed rainbow table to crack a Diffie-Hellman key exchange quickly and efficiently.

Claroty research shows how attackers can build a precomputed rainbow table to crack a Diffie-Hellman key exchange quickly and efficiently.

An attacker who is able to capture enough traffic should be able to deduce the client-side or server-side secret in either exchange and would be able to break encrypted read-write commands and the encrypted password hashes. This puts the entire key-exchange mechanism at risk.

Summary

Modicon M221 PLCs are used in multiple industries, and an advanced attacker with some knowledge of the authentication mechanism in place and the cryptographic implementations in place could exploit these flaws and put processes at risk.

Here is a summary of the four vulnerabilities:

  • CVE-2020-7565
    Related CWE-326: Inadequate Encryption Strength
    —Read/Write encryption uses a 4-byte XOR key for data encryption, a weak implementation that can be broken using a known plaintext attack where data may be read in certain memory regions without authentication, or statistical analysis of repetitive sequences of XOR keys in traffic.
  • CVE-2020-7566
    Related CWE-334: Small Space of Random Values
    —A weak key exchange method or read/write encryption where a too small of a Diffie-Hellman secret is used and the 4-byte XOR key can be uncovered.
  • CVE-2020-7567
    Related CWE-311: Missing Encryption of Sensitive Data
    —Password hashes can be uncovered in upload-download communications between the PLC and the EcoStruxure Machine Expert Basic software. An attacker who is able to deduce the XOR key using another of these vulnerabilities may use that same key to find the password hash and use a Pass-the-Hash attack to authenticate themselves to the PLC.
  • CVE-2020-7568
    Related CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    —Some sections or memory are readable without entering a password, even if read and write protections are activated.
Claroty would also like to thank Schneider for its collaboration and partnership in addressing these vulnerabilities.