ICS Summary for Week of September 22, 2017

By Kimberly Matsumoto on September 22, 2017

SCADA Webserver Found Lacking Proper Authentication

A SCADA webserver made by Swiss-based company, iniNet Solutions GmbH, was found to have a critical vulnerability that may allow a malicious attacker to gain access to human-machine interface (HMI) pages without authentication.  The third party software is used worldwide, primarily in the critical manufacturing sector.  The vulnerability was found by Matthias Niedermaier and Florian Fischer of Augsburg of Applied Sciences and it affects the iniNet Solutions GmbH SCADA Webserver, in all versions prior to V2.02.0100.  

The webserver had a improper authentication (CWE-287) vulnerability with the highest criticality rating of 10.0.  IniNet Solutions GmbH has stated that the “webserver is designed to used in a protected environment”, so this might be why there is this lack of authentication. The vulnerabilty allows a malicious attacker to bypass the authentication and gain access to various pages on the webserver.  Some of these pages, such as the HMI ones, held sensitive data that the attacker could access.  They would also have the ability to modify and control PLC variables.

The company has released a new version of the webserver, V2.02.011, that allows users to implement basic authentication.  It can be found here at http://spidercontrol.net/download/downloadarea/?lang=en and the instructions for implementing this can be found in the V2.02.011 user manual.  They also have provided some best practices for users to follow to keep their systems secure.  These recommendations include never connecting a PLC to the internet unless absolutely necessary and, if so, using a managed infrastructure, minimize network exposure for all control devices and systems, and isolate all control system networks and remote devices from the business network.  Currently, no public exploits have been found that are specifically targeting this vulnerability.

Source: ICSA-17-264-04 (ICS-CERT)

Vulnerability Found in Schneider Electric Equipment

Researcher Aaron Portnoy, formerly of Exodus Intelligence, found a critical vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition.  These systems are used in the critical manufacturing, energy, healthcare and public health, and water and wastewater systems sectors around the world.  The InduSoft Web Studio is a set of automation tools that provide users the start of building human machine interfaces (HMI), supervisory control and data acquisition (SCADA) systems, and embedded instrumentation solutions.  InTouch Machine Edition is a highly flexible HMI that is setup to provide varying levels of control.  This means that if either of these systems are compromised, the attacker would have a lot of power on the system.

The vulnerability was that of a Missing Authentication for Critical Function (CWE-306) and given a high CVSS score of 9.8 (Out of 10).  ICS-CERT described the vulnerability: “InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server.”  The fact that it’s remotely accessible and also relatively easy to exploit makes this a serious security flaw.

The affected systems were:

  • InduSoft Web Studio v8.0 SP2 or prior
  • InTouch Machine Edition v8.0 SP2 or prior

Schneider Electric has released a patch for this vulnerability for both products which they recommend users apply as soon as possible.

Links to the updates:

Sources: ICSA-17-264-01 (ICS-CERT), Schneider Electric Cyber Security Updates (Schneider Electric)

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu