Schneider Electric Patches Vulnerabilities in its EcoStruxure SCADA Software and Modicon PLCs

Schneider Electric released several advisories on vulnerabilities they have recently fixed in their EcoStruxure and Modicon products. Modicon M580, M340, Quantum and Premium programmable logic controllers (PLCs) were affected by three denial of service (DoS) vulnerabilities. While the EcoStruxure SCADA software products were found to have buffer overflow vulnerabilities.

The advisory released for the three Modicon vulnerabilities showed that two (CVE-2019-6857 and CVE-2019-685) were rated as high-severity, while the remaining one (CVE-2018-7794) was rated as medium-severity. All three can cause a DoS when reading (CVE-2019-6857) or writing (CVE-2019-685) specific memory blocks, and when reading data with an invalid index (CVE-2018-7794).

Nozomi Networks discovered the vulnerabilities and further explained that an attacker can also crash the controller’s Ethernet module, which requires resetting the affected device.

Another advisory was for the Power SCADA Operation (PSO), a key element of Schneider Electric’s EcoStruxure Power product. PSO helps in managing power distribution in facilities like hospitals, airports, data centers, etc. Schneider Electric patched a stack-based buffer overflow vulnerability (CVE-2019-13537) in PSO that could cause a server side crash if exploited by an attacker.

Lastly, Applied Risk discovered a vulnerability in Schneider Electric’s EcoStruxure Geo SCADA Expert also called ClearSCADA, which is a SCADA software used to control industrial processes. They released an advisory with the details of the vulnerability after finding a flaw in the software’s insecure file permissions that can allow an attacker to modify system-wide configuration and data files if exploited.

All three advisories list the updates and patches that address the discovered vulnerabilities. Schneider Electric advises affected customers to download and apply these patches to prevent attacks that exploit these vulnerabilities.

The impact of vulnerabilities on SCADA systems

SCADA systems are made up of interconnected parts like PLCs, remote transmission units (RTUs), and human machine interfaces (HMIs) that together help control machinery and industrial processes that could span large geographical areas. SCADA also uses other components like app and web interfaces that help engineers monitor and control industrial processes from remote locations. This succession of reports from last week demonstrate how vulnerabilities can be found in any component of SCADA systems where attackers could find a way into the industrial control system’s (ICS) network.

A research conducted by Trend Micro in 2017 showed how HMI vulnerabilities included code injection, authorization and insecure default vulnerabilities, to name a few. These vulnerabilities are still reflected even at the present as the discoveries still frequently include unsophisticated bugs like stack and buffer overflows and information disclosure as seen in the advisories.

SCADA systems can be found overseeing critical industrial processes across various industries, which raises the urgency of addressing vulnerabilities. Depending on where they are deployed, attacks on these vulnerabilities can result in unforeseeable consequences, ranging from operational downtime to physical damage. In critical industries like in energy and water, exposed SCADA systems can cause cascading effects down the supply chain that cross over to other industries.

The fight against exploits involves awareness that these vulnerabilities exist. This means heeding advisories and disclosures closely, and applying patches as soon as they become available.