Another Stuxnet-Style Vulnerability Affecting More PLCs

In the Security & Resilience Update for March 31, 2020, WaterISAC reported on research related to the potential for more Stuxnet-style attacks against PLCs. Airbus Cybersecurity reported a similar Stuxnet-like vulnerability in Schneider Electric’s EcoStruxure Control Expert engineering software. The flaw could be exploited to upload malicious code by replacing one of the DLL files, which could lead to process disruptions and other damage. In March it was noted that exploits could also affect similar products from other vendors. Today, SpiderLabs Global OT/IoT researchers at cybersecurity firm Trustwave present findings on two additional Stuxnet-style vulnerabilities on SoMachine Basic v1.6 and Schneider Electric M221 (Firmware 1.6.2.0) PLC. Exploitation of the first vulnerability (CVE-2017-6034) results in the inability of the engineering software to control and track the status of the PLC and gives an attacker the ability to establish an unauthenticated session to the PLCs to send control commands (e.g. START, STOP, UPLOAD, DOWNLOAD). The second vulnerability (CVE-2020-7489) would allow manipulated packets to be sent to the PLC due to lack of adequate checks on critical values used in communications with the PLC. While Schneider Electric has patched these vulnerabilities through coordination with Trustwaves’s Responsible Disclosure program, the details are notable for OT operators and engineers in understanding potential exploitation and highlighting the importance of the prioritization of vendor/OEM recommended mitigations. Read more at Trustwave