ClearEnergy

Critical Infrastructure, SCADA and Industrial Control Systems ransomware analysis based on Modicon Modbus Protocol / UMAS - Session Key (0-Day Vulnerabilities)

ClearEnergy

"Researchers at CRITIFENCE® Critical Infrastructure and SCADA/ICS Cyber Threats Research Group have demonstrated this week a new proof of concept ransomware attack that able to erase (clear) the ladder logic diagram in Programmable Logic Controllers (PLCs).".


About ClearEnergy

ClearEnergy vulnerabilities (ICSA-17-101-01) disclosed AUTHENTICATION BYPASS BY CAPTURE-REPLAY CVE-2017-6032 (SVE-82003203) and VIOLATION OF SECURE DESIGN PRINCIPLES CVE-2017-6034 (SVE-82003204), in the session key (identifier) in Schneider Electric Modicon Modbus UMAS protocol. UMAS is a Kernel level protocol and an administrative control layer that relies on the Modbus protocol. This vulnerabilities affected but not limited to all Schneider Electric PLCs and PACs of Unity series that running Unity OS from 2.6.

ClearEnergy zero-day vulnerabilities discovered in June 2016 by CRITIFENCE Critical Infrastructure and SCADA/ICS Cyber Threats Research Group



Impact

Successful exploitation of these vulnerabilities may allow an unauthorized remote attacker to capture and replay sensitive commands to PLCs on a network using the Modicon Modbus protocol. In addition, the attacker can cause to unwanted behavior of Schneider Electric’s Modicon Modbus PLCs and PACs of Unity series that running Unity OS 2.6 or later. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.



Background

Schneider Electric is a European-based company that maintains offices in 190 countries worldwide. The vulnerabilities that found affect all Schneider Electric PLCs and PACs of Unity series that running Unity OS from 2.6 or later.



Affected Products

The following versions of Schneider Electric’s Modicon Modbus protocol, which can be used with the Modicon family of PLCs, are affected:
  • Modicon Modbus protocol, all versions
  • All Unity series PLCs
  • All Unity OS from version 2.6 and later


ClearEnergy



Vulnerability Overview

AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294 (CVE-2017-6032 / SVE-82003203)
Sensitive information is transmitted in clear text in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: run, stop, upload, and download.

VIOLATION OF SECURE DESIGN PRINCIPLES CWE-657 (CVE-2017-6034 / SVE-82003204)
The Modicon Modbus protocol has a session related weakness making it susceptible to brute-force attacks.


ClearEnergy



Mitigation

Following to the disclosure, Schneider Electric has confirmed that the Modicon family of PLCs products are vulnerable to the findings presented by CRITIFENCE and released an Important Cybersecurity Notification (SEVD-2017-065-01).

Once acknowledged the existence of the vulnerabilities, CRITIFENCE with a support from ICS-CERT (Department of Homeland Security, DHS) worked in collaboration with Schneider Electric to mitigate and remediate the vulnerabilities in order to create security updates for all Schneider Electric vulnerable products.

ICS-CERT released an advisory (ICSA-17-101-01) for ClearEnergy vulnerabilities.
Schneider Electric are already working on a software update for the affected products.



Thanks and Credits

CRITIFENCE would like to thank the following persons and organizations
for the collaboration and their great work during the disclosure and remediation process:


  • Schneider Electric
  • ICS-CERT (Department of Homeland Security, DHS)




More information about ClearEnergy



Vulnerabilities



Source code



Advisories



News