Team82 Logo Claroty
Return to Team82 Research

New Critical Vulnerabilities in Unitronics Unistream Devices Uncovered

/ / 5 min read

Executive Summary

  • Unitronics has updated its UniStream integrated PLC/HMI products to address critical vulnerabilities disclosed by Team82.

  • The vulnerabilities could allow an attacker to bypass native authentication and authorization features in the product, and can be chained to gain remote code execution.

  • Unitronics urges its users to update UniStream OS to version 1.35.47 or later and released an advisory.

  • Previous attacks against Unitronics’ Vision series of PLCs were disclosed in November. The PLCs were compromised in high-profile attacks against Israeli and American water treatment facilities. The vulnerabilities used in those attacks were addressed by the vendor.

  • Israel National Cyber Directorate has published an advisory that includes mitigation and remediation information.

Unitronics Authentication Bypass and RCE Vulns Uncovered

Israeli vendor Unitronics’ integrated programmable logic controllers (PLCs) and human-machine interfaces (HMIs) were targeted in alarming cyberattacks that were disclosed in November that affected dozens of Unitronics Vision controllers around the world. Among those affected by attacks were multiple water facilities in the U.S. that suffered operational disruptions.

A group known as the CyberAv3ngers claimed responsibility for these attacks and singled out that all technology built in Israel was in their crosshairs. A compromised Unitronics V570 PLC/HMI at the municipal Water Authority of Alquippa was defaced, indicating that the attackers at least had access to the device. 

The attack prompted the Cybersecurity Infrastructure & Security Agency (CISA) to publish an advisory warning users to change default passwords on Unitronics products, close ports directly exposing these devices to the internet, and secure any remote access to the devices with a VPN or secure access solution. Unitronics also patched the vulnerability used in this attack in version 9.9.00 of the affected Vision product.

This incident also motivated Team82 to research the attack surface of the UniStream PLC series, Unitronics’ current generation of integrated PLCs and HMIs. Among its feature improvements, the UniStream series includes a native authentication schema that Team82 were able to bypass.

During our research, we uncovered eight vulnerabilities that not only bypassed the authentication and authorization features in the UniStream PLCs, but also were able to chain  to gain remote code execution on the device. Using publicly available internet scanning services, we identified around 480 internet-exposed and vulnerable UniStream devices. It should be noted that these devices are not preconfigured to be reachable online, and that these are configuration mistakes on the part of users, likely opening ports on the device for integrator access or other remote support. 

Team82 privately disclosed these vulnerabilities to Unitronics, CISA, and the Israel National Cyber Directorate, which today published its own warning users to update devices and limit their direct exposure to the internet. We urge users to update their Unitronics controllers, and make sure these devices are not exposed to the internet.

We would like to thank both Unitronics and Israel National Cyber Directorate for their full cooperation and immediate response, fixing all vulnerabilities we disclosed.

What is the Unitronics UniStream PLC Series?

UniStream is a programmable logic controller (PLC) series developed by Unitronics. It combines HMI (Human-Machine Interface) capabilities with advanced control functionality, making it a versatile solution for industrial automation.

A screenshot of the Unitronics UniStream PLC and HMI, that allows OT engineers to build and configure a custom operation.

Unitronics also offers a software suite called UniLogic, an interface for programming and configuring Unistream devices, allowing engineers to dictate its logic.

The UniLogic UI, allowing engineers to program and configure their UniStream PLCs.

In our research, we discovered eight vulnerabilities that not only allow a remote unauthenticated attacker to bypass the authentication requirement for interacting with the PLC, but we also chain some of those vulnerabilities to allow an unauthorized attacker to connect to the UniStream PLC,  fully control it, and execute arbitrary commands.

To map the possible attack surface and potential damage, we looked for UniStream devices that expose their management web server to the internet. To do so, we used internet-scanning services such as Shodan.io and Censys.io, which constantly scan the IP range, mapping devices they encounter. In the end, we managed to discover around 480 Unistream devices directly connected to the internet that could be attacked using the vulnerabilities we disclosed to Unitronics.

Key Takeaways

The attacks against Unitronics PLCs disclosed last fall were a stark reminder that while attacks against operational technology and control systems are relatively rare, they do occur and can cause disruption to critical services and put personal safety at risk. This prompted Team82 to research the attack surface of the current generation of Unitronics’ UniStream integrated PLCs and HMIs.

What we found were a number of vulnerabilities that bypass authentication and enable remote code execution on devices directly connected to the internet. Unitronics was quick to work with us and address the flaws in an update that users should immediately apply. 

It’s important to note that these devices are not configured out of the box to be exposed online, and directly connecting them to the internet can have risky consequences. Users should not only update devices, but restrict remote connections behind a VPN or a secure access solution. Team82 was able to use internet-scanning services to discover devices directly connected to the internet, a poor best practice that needlessly exposes many organizations to malicious remote connections. 

CERT IL, meanwhile, has a number of mitigation recommendations: 

  • Organizations should update Unistream UniLogoc software to version 1.35.227 or later

  • It also recommends that PLCs not be directly connected and accessible to the internet; VPNs or zero-trust network access devices should be used instead

  • Default passwords should be changed to longer, more complex password; two-factor authentication should also be implemented

Stay in the know Get the Team82 Newsletter
Related Vulnerability Disclosures
Claroty
LinkedIn Twitter YouTube Facebook