Schneider Electric Software vulnerability affects critical infrastructure PLC controllers in all countries

Stuxnet is a malware variant designed to attack Siemens SIMATIC S7-300 and S7-400 programmable logic controllers (PLCs). According to network penetration testing specialists, the U.S. government, in conjunction with Israel, used this malware to attack Iran’s nuclear facilities ten years ago. During the attack, the malware loaded malicious code on specific devices, replacing a DLL associated with Siemens STEP7 driver programming software. 

A few weeks ago, Airbus Cybersecurity experts reported the finding of a similar vulnerability in Schneider Electric’s EcoStruxure Control Expert engineering software. Identified as CVE-2020-7475, this flaw could be exploited to load malicious code into the Modicon M340 and M580 PLCs by replacing one of the DLL files associated with the software, which could cause service interruptions. The flaw received an 8.2/10 score on the Common Vulnerability Scoring System (CVSS).

In addition to this flaw, experts reported on the finding of CVE-2020-7489, a virtually identical vulnerability that received the same CVSS score. According to network penetration testing experts, the company has already released the corresponding patches, although they point out that other similar products from other manufacturers could be affected.

Cybersecurity specialist Karl Sigler mentions that operating CVE-2020-7489 requires access to the environment that hosts SoMachine software and the target PLC. “To exploit this vulnerability, threat actors would need to perform the injection using the same user context as a local user authorized to run the software.”

Network penetration testing experts also made an interesting discovery related to an old vulnerability affecting Schneider Electric software. In 2017, the company notified its customers about CVE-2017-6034, a critical vulnerability that allowed hackers to send execution, stop, load and download commands to a PLC via a repeat attack. In addition, experts discovered that until a few months ago an attack could still be launched abusing an existing session between EcoStruxure Machine Expert and the PLC. As a result of these findings, Schneider had to continue to work with these flaws.

“The original vulnerability allows packet capture and replay on the PLC. For example, an attacker could play a packet with the ‘Stop’ command sent to the PLC to stop the PLC at any time,” explains the expert. “Although this flaw was fixed in 2017, the attack could still be deployed if the hacker had access to an existing session.”

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.