Kaspersky ICS CERT examined the vulnerabilities of Schneider Electric’s Unified Messaging Application Services (UMAS) and the extremely popular protocol used in many industries, from manufacturing to elevator control systems. By exploiting vulnerabilities, attackers can gain access to a facility’s entire automation system.

UMAS (Unified Messaging Application Services) Schneider Electric’s proprietary protocol used to configure, monitor, collect data, and control Schneider Electric industrial controllers. The use of this protocol is quite common in various industries. The issues described by Kaspersky ICS CERT experts reveal unauthorized access to the programmable logic controller (PLC) and ways cybercriminals bypass authentication.

In 2020, the vulnerability code CVE-2020-28212 was reported, which could be exploited by an unauthorized remote attacker to take control of a programmable logic controller (PLC) with the privileges of an already authenticated operator in the controller . To address this vulnerability, Schneider Electric has developed the Application Password, a new mechanism designed to protect PLCs from unauthorized access and unwanted changes.

Analysis by Kaspersky ICS CERT experts shows that the new security mechanism also has flaws in its implementation. The vulnerability CVE-2021-22779 identified during the investigation could bypass authentication, allowing a remote attacker to modify the PLC. The main problem, according to the researchers, is that the authentication credentials used to “reserve” the device for modification are computed entirely on the client side, and the secret used can be obtained from the PLC without authentication.

Schneider Electric has issued a recommendation with a solution that fixes the vulnerabilities. In addition, Kaspersky ICS CERT recommends using network surveillance and deep industrial protocol analysis solutions, such as Kaspersky Industrial CyberSecurity for Networks, to monitor and manage attempts to remotely access PLC devices.

Kaspersky ICS CERT Security Specialist Pavel Nesterovsay: “The threat landscape is constantly evolving. Organizations’ security strategy must constantly evolve to meet new challenges. Today, building a cybersecurity system is not an end-to-end goal, it is a continuous proactive process. This was demonstrated by the example of the UMAS protocol. We are grateful to Schneider Electric for being able to respond so quickly to discovered security vulnerabilities and provide appropriate solutions and recommendations to its customers. But our advice to anyone responsible for an organization’s security is to implement custom solutions.”

You can learn more about Schneider Electric’s UMAS protocol and its secrets at ICS CERT.

To protect your ICS computers from threats, Kaspersky experts recommend the following:

• Regularly update operating systems and application software that are part of the corporate network. Apply security solutions and patches to IT and OT network equipment as they become available.
• Perform regular security audits of IT and OT systems to identify and eliminate potential vulnerabilities.
• Use Kaspersky Industrial CyberSecurity for Networks, an ICS network traffic monitoring, analysis, and detection product to better protect against attacks that potentially threaten technology processes and critical business assets. The Custom Command Control module detects that when an attacker tries to execute the “Smooth controller” command, he is attempting to exploit vulnerabilities in the UMAS protocol. Another module, Network Integrity Check, logs unauthorized network connections. All events are combined into a report and sent to the manager for further investigation.
• Implement custom security training for IT security teams and OT technicians to improve response to new and advanced malicious attack techniques.
• Provide up-to-date threat intelligence to the security team responsible for protecting industrial control systems. Our ICS Threat Intelligence Reporting service provides information on current threats and attack vectors, as well as the most vulnerable elements in OT and industrial control systems and how to mitigate them.

Source: (BYZHA) – Beyaz News Agency