Security issues identified in Rockwell, Siemens, Schneider Electric equipment in ICS environments

Security issues have surfaced in equipment for the critical infrastructure sector from vendors such as Rockwell Automation, Siemens and Schneider Electric. Given the precarious cybersecurity landscape prevailing in the sector with the underlying ransomware threats and attacks, it is advisable for users to adopt the mitigation set out by the companies at the earliest, to prevent exploitation. 

The Cybersecurity and Infrastructure Agency (CISA) identified on Thursday the existence of a security flaw in Rockwell Automation’s FactoryTalk Services Platform equipment used in various sectors, including chemical, critical manufacturing, and energy. The protection mechanism failure may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.

Built for supporting an ecosystem of advanced industrial applications, the FactoryTalk platform can supercharge industrial environments with software that offers the latest design, maximizes operational efficiencies, and delivers predictive and augmented maintenance advantages. Rockwell Automation reports that the vulnerability affects the FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed.

Rockwell Automation encourages those using the affected software to update to FactoryTalk Services Platform v6.20 or later to address the associated risk, the CISA advisory added. Users who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.

Earlier this week, CISA found security issues in Rockwell’s ISaGRAF5 Runtime equipment, which can be remotely exploited with low attack complexity. The vulnerabilities include the use of a hard-coded cryptographic key, unprotected storage of credentials, relative path traversal, uncontrolled search path element, and cleartext transmission of sensitive information. Kaspersky reported these vulnerabilities to Rockwell.

The ISaGRAF automation software technology is used to create integrated automation solutions. It offers a combination of a portable SoftPLC control engine (runtime) and an intuitive application development environment (application workbench). ISaGRAF provides IEC 61131‑3 and IEC 61499 support that allows developers to meet specific needs by providing the flexibility to use the hardware platform and operating system in accordance with the nature of the application.

The Milwaukee, Wisconsin headquartered company advised users to update to ISaGRAF Runtime 5 Version 5.72.00. End users are encouraged to restrict or block access on TCP 1131 and TCP 1132 from outside the industrial control system. Confirming the least-privilege user principle is followed, and user/service account access to Runtime’s folder location is granted with a minimum amount of rights needed.

This week, CISA also reported on security issues found in Siemens’ Mendix SAML Module equipment deployed across multiple critical infrastructure sectors. The insufficient verification of data authenticity vulnerability has been detected in the Mendix SAML Module across all versions prior to 2.1.2 which allows a hacker to escalate privileges. The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider, which may allow a remote authenticated attacker to escalate privileges.

The SAML module can be used as a replacement or extension of supported authentication methods. By configuring the information about all identity providers in the module, it allows users to sign in using the correct identity provider (IdP). There is no limit on the number of different identity providers that one can configure.

Siemens reported this vulnerability to CISA, and an update was released for the Mendix SAML Module. It advised users to update to version 2.1.2 or later.

CISA also reported this week the presence of several security issues with low attack complexity in Schneider Electric’s IGSS (Interactive Graphical SCADA System) equipment used in commercial facilities, critical manufacturing and energy sectors. IGSS helps to monitor and control industrial processes and communicates with key industry-standard PLC drivers.

The vulnerabilities identified include out-of-bounds read and write, access of uninitialized pointer, use after free, release of an invalid pointer or reference, and improper limitation of a pathname to a restricted directory, according to the CISA advisory. Schneider Electric recommends that users update to version 15.0.0.21141 of the IGSS definition module, as it includes fixes for these vulnerabilities. 

In case, users decide not to apply the remediation provided, then they should avoid importing CGF and WSP files from untrusted sources to reduce the risk of exploitation. Failure to apply the remediations provided below may risk remote code execution, which could result in an attacker gaining access to the Windows Operating System on the machine used to import CGF and WSP files, typically a step performed during system design time.

Kimiya, working with Trend Micro’s Zero Day Initiative, and researcher Michael Heinzl separately reported these vulnerabilities to CISA. 

The security agency also flagged the existence of security issues in Schneider’s Modicon X80 equipment used globally in the commercial facilities, critical manufacturing and energy segments. The remotely exploitable low attack complexity vulnerability can expose sensitive information to an unauthorized hacker, which could result in an understanding of the network architecture.

To reduce the risk of exploitation until a remediation plan is available, Schneider Electric advised users to ensure that web access service is disabled by default, as it is only necessary for specific maintenance and configuration activities. Hence, users should disable the web (HTTP) service when it is not needed through the Ecostruxure Control Expert application. 

In addition, users must set up network segmentation and implement a firewall to block all unauthorized access to HTTP Port 80/TCP on the controllers. Chizuru Toyama, TXOne IoT/ICS Security Research Labs of Trend Micro, reported this vulnerability to CISA.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.