The M221 PLC controls basic automation for machines, and is configured using the EcoStruxure Machine Expert-Basic software. All versions of the products are affected by these vulnerabilities. Schneider Electric recommends a number of mitigations to address these vulnerabilities. ICS-CERT, today, also updated its advisory.
The latest flaw, CVE-2020-28214, aligns to Common Weakness Enumeration 760 (CWE-760): use of a one-way hash with a predictable salt. An attacker able to exploit this vulnerability could use a rainbow table dictionary attack, image below, to pre-compute a hash value, negating the benefits that an unpredictable salt would offer. Salt is random cryptographic data added to one-way functions that hash data in order to add a measure of uniqueness to, for example, weak passwords. Experts caution, however, that attackers with enough computing power are able to crack salted hashes.
Attackers can build a precomputed rainbow table to crack a Diffie-Hellman key exchange quickly and efficiently.
Lock Down Access to the M221
Claroty, in June, privately disclosed these vulnerabilities in the Schneider Electric products. The company has steadily addressed almost a dozen flaws in the M221 since 2017 related to authentication and encryption, an important evolution in the security of these devices as more and more industrial systems are connected to the internet. Attackers have tools at their disposal to find and exploit vulnerabilities in connected devices; locking down access to them is a crucial step to keeping devices and organizations using them safe. Schneider has effectively done so, replacing, in recent years, clear-text passwords with hashes, adding server-side authentication, and encrypting key exchanges and data.
The Nov. 10 public disclosure and update further tightened up some of those previously addressed security measures. Users are urged to follow Schneider Electric’s mitigation advice, below.
Meanwhile, exploits against these vulnerabilities can only be carried out by attackers who have already gained a foothold on a M221 device. Attackers already on the device would be able to capture traffic between the M221 and EcoStruxure Machine Expert-Basic and break weak encryption methods protecting upload and download data or authentication attempts. Cryptographic key exchanges are also vulnerable to exploits because of a weak Diffie-Hellman key-exchange implementation securing read-write data and password hashes during authentication. An attacker who is able to capture enough traffic should be able to deduce the client-side or server-side secret in either exchange and would be able to break encrypted read-write commands and the encrypted password hashes. This puts the entire key-exchange mechanism at risk.
Schneider Electric recommends the following mitigations:
Set up network segmentation and implement a firewall to block all unauthorized access to port.
Within the Modicon M221 application, the user must:
Disable all unused protocols, especially Programming protocol. This action will prevent unintended remote programming access.
Set a password to protect the project.
Set a password for read access on the controller.
Set a different password for write access on the controller.
Here is a recap of the five vulnerabilities:
CVE-2020-28214 (disclosed today)
Related CWE-760: Use of a One-Way Hash with a Predictable Salt—The M221 and EcoStruxure Machine Basic use a predictable salt that would be vulnerable to an attacker already on the device who would be able to pre-compute a hash value using a rainbow table dictionary attack.
The following vulnerabilities were disclosed Nov. 10:
Related CWE-326: Inadequate Encryption Strength—Read/Write encryption uses a 4-byte XOR key for data encryption, a weak implementation that can be broken using a known plaintext attack where data may be read in certain memory regions without authentication, or statistical analysis of repetitive sequences of XOR keys in traffic.
Related CWE-334: Small Space of Random Values—A weak key exchange method or read/write encryption where a too small of a Diffie-Hellman secret is used and the 4-byte XOR key can be uncovered.
Related CWE-311: Missing Encryption of Sensitive Data—Password hashes can be uncovered in upload-download communications between the PLC and the EcoStruxure Machine Expert Basic software. An attacker who is able to deduce the XOR key using another of these vulnerabilities may use that same key to find the password hash and use a Pass-the-Hash attack to authenticate themselves to the PLC.
Related CWE-200: Exposure of Sensitive Information to an Unauthorized Actor—Some sections or memory are readable without entering a password, even if read and write protections are activated.