Schneider Electric is grappling with a critical vulnerability found in its flagship industrial controller management software called Unity Pro that allows hackers to remotely execute code on industrial networks.
The warning comes from Indegy, an industrial cybersecurity firm. Indegy discovered the vulnerability and issued a report on the flaw Tuesday. Mille Gandelsman, CTO of Indegy, called the vulnerability a “major concern” and urged anyone running Unity Pro software to update to the latest version.
Unity Pro, which runs on Window-based PCs, is used for managing and programing millions of industrial controllers around the world. “If the IP address of the Windows PC running the Unity Pro software is accessible to the internet, then anyone can exploit the software and run code on hardware,” Gandelsman told. “This is the crown jewel of access. An attacker can do anything they want with the controllers themselves.” The flaw resides in a component of Unity Pro software named Unity Pro PLC Simulator, used to test industrial controllers, according to Indegy.
“This is what an attacker would want to have access to in order to impact the actual production process within an ICS physical environment. That includes the valves, turbines, centrifuges and smart meters,” Gandelsman said. “With this type of access, an attacker can use it to change the recipe to drugs being manufactured by industrial control systems or turn off the power grid of a city.”
Gandelsman, who presented his research at the 2016 Industrial Control Systems Cyber Security Conference being held in Atlanta, Ga. this week, said that the vulnerability was discovered nearly six months ago and was privately disclosed to Schneider Electric at that time. Since the disclosure, Schneider Electric has patched the vulnerability. According to Indegy, the vulnerability is present in every control network that uses Schneider Electric controllers.
For its part, Schneider Electric on Oct, 14 acknowledged the flaw, issuing a “notification” to its customers. “The vulnerability is arbitrary code execution made possible by remotely downloading a patched project file to the Unity Simulator,” according to Schneider Electric. According to Indegy’s research the vulnerability is tied to the fact that “Unity Pro allows any user to remotely execute code directly on any computer on which (the Unity Pro) product is installed, in debug privileges,” according to a brief report on the vulnerability posted by Indegy. “The vulnerability found affects all versions of this software, including the latest one,” according to Indegy.
However, Schneider Electric said its most recent version (11.1) of the Unity Pro software is not impacted. The vulnerability, Indegy points out, does not require a compromise of the controllers in an ICS network because the industrial controllers lack authentication and industrial communications protocols lack encryption. “Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations. This makes this attack relevant across virtually any process controlled by these PLCs,” Indegy said.
According to Schneider Electric’s description of the vulnerability, the flaw is tied to when a Unity project is compiled as x86 instructions and loaded onto the programmable logic controller (PLC) simulator. “It is possible to make the simulator execute malicious code by redirecting the control flow of these instructions: By implanting shellcode in free space of a Unity Pro project, then download and execute the patched project to the simulator.”
Asked if this vulnerability has been publicly exploited, Gandelsman said “I cannot address that. This is a vulnerability we detected. That is all I can say.” Schneider Electric did not respond to inquiries for comments. “This flaw is as bad as it gets,” Gandelsman said. Last year, Schneider Electric reported a number of vulnerabilities affecting the modules that support the company’s Factory Cast Modbus feature.
Another Schneider Electric bug was identified last year tied to a series of vulnerabilities related to credential and authentication verification in two of Schneider Electric’s HMI products that could have allowed an attacker who exploits them to be able to run arbitrary code. In a report, released in September by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), officials conclude that nagging issues continue to plague industrial control systems (ICS) and SCADA systems.
It found that a dearth of access controls limiting unauthorized access, poor software code quality, and the weakening, or absence of, crypotographic security when it comes to the protection of data and network communications were still not adequately being addressed by the industry.