**ATTENTION:**Remotely exploitable/low skill level to exploit. Public exploits are available.
Vendor: Schneider Electric
Equipment: Modicon M221 PLCs and SoMachine Basic
Vulnerability: Use of Hard-Coded Cryptographic Key, Protection Mechanism Failure
Schneider Electric reports that these vulnerabilities affect the following PLCs and tools for configuring and developing automation machinery:
One vulnerability may allow an attacker to extract a protected project file from the controller to obtain sensitive project information. The second vulnerability may allow a user with access to a protected project file to decrypt it in order to obtain sensitive information without authorization.
Schneider Electric recommends that users store project files in secure, access-restricted locations and encrypt project files with reputable third party file encryption tools. A fix to enhance the SoMachine Basic encryption mechanism will be released on June 15, 2017.
Schneider Electric’s security notice SEVD-2017-097-01 is available at the following location:
<http://www.schneider-electric.com/en/download/document/SEVD-2017-097-01/>
Schneider Electric recommends that users implement the following mitigations until an enhanced encryption mechanism is released on June 15, 2017:
Schneider Electric’s security notice SEVD-2017-097-02 is available at the following location:
<http://www.schneider-electric.com/en/download/document/SEVD-2017-097-02/>
NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
Project files, including user-defined project passwords, are encrypted with a hardcoded password.
CVE-2017-7574 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).
An attacker can send a specifically crafted command via Modbus over TCP port 502 to the logic controller to discover an application protection password.
CVE-2017-7575 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).
Simon Heming, Maik Brüggemann, Hendrik Schwartke, and Ralf Spenneberg of Open Source Security discovered these vulnerabilities.
Critical Infrastructure Sector: Commercial Facilities
**Countries/Areas Deployed:**Worldwide
Company Headquarters Location: France
ics-cert.us-cert.gov
ics-cert.us-cert.gov
twitter.com/icscert
twitter.com/icscert
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7574
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7575
www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-103-02
www.dhs.gov
www.dhs.gov/report-cyber-risks
www.schneider-electric.com/en/download/document/SEVD-2017-097-01/
www.schneider-electric.com/en/download/document/SEVD-2017-097-02/
www.us-cert.gov/accessibility/
www.us-cert.gov/pdf/
www.us-cert.gov/privacy/
www.us-cert.gov/tlp/
www.us-cert.gov/tlp/
cwe.mitre.org/data/definitions/321.html
cwe.mitre.org/data/definitions/693.html
ics-cert.us-cert.gov/
ics-cert.us-cert.gov/content/recommended-practices
ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B
twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-103-02
www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-103-02
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-17-103-02 Schneider Electric Modicon M221 PLCs and SoMachine Basic&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-103-02&site_name=ICS-CERT
www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-17-103-02 Schneider Electric Modicon M221 PLCs and SoMachine Basic&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-103-02&site_name=ICS-CERT
www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-17-103-02 Schneider Electric Modicon M221 PLCs and SoMachine Basic&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-103-02&site_name=ICS-CERT