Specialists at the Rostelecom-Solar Cyber Security Laboratory at I&C Ilya Karpov and Yevgeny Druzhinin discovered a number of vulnerabilities in Schneider Electric's industrial equipment, which is widely used to manage power systems. Several critical bugs made it possible to seize control of the device or to achieve a complete stop of its operation.
Researchers examined the operation of controller firmware for the automation of transformer substations Schneider Electric Easergy T300 (HU250) and the separately available Schneider Electric Easergy Builder software, which is used to configure such equipment. The experts have already notified the developers of the identified problems, and also transmitted information about the vulnerabilities to the FSTEC of Russia for publication in the “Information Security Threat Data Bank” (BDU: 20220-02720 – BDU: 2020-02736).
“The Schneider Electric Easergy T300 controllers, as well as the Saitel DP and Saitel DR, all controlled by the Easergy Builder software, are widely used by grid and infrastructure companies around the world, including Smart Grid systems. The electricity supply of the population, hospitals, schools, transport infrastructure and other socially important objects depends on their work. It is far from always that such devices are connected to data networks in compliance with best practices, as a result of which equipment may be available for attacks from the Internet. For this reason, it is especially important for such devices to have reliable built-in information protection tools. We thank Schneider Electric for their professional approach to work on detected vulnerabilities and look forward to further productive cooperation to improve the security of industrial automation, ”comments Jan Sukhikh, Head of Cyber Security at ICS TP of Rostelecom Solar.
So, a study of the Easergy T300 web server showed that it is vulnerable to CSRF attacks (CVE-2020-7503). The scenario of such an attack is as follows: an attacker creates a malicious page that exploits this vulnerability. If a user who is authorized on the Easergy T300 controller web server gets to it, commands will be sent on his behalf to the server, the execution of which can lead to incorrect controller configuration and, as a result, accidents, equipment failure or blackout.
A number of other serious problems were associated with the implementation of encryption on the device. Experts found that the controller code contains several vulnerabilities that can completely level out cryptographic protection of transmitted data – an attacker can get private encryption keys (CVE-2020-7510), cryptographic algorithms are not resistant to cracking (CVE-2020-7511), and certain sensitive information , such as user logins and passwords, is stored and transmitted without any encryption (CVE-2020-7513).
Exploitation of these vulnerabilities could give an attacker access to all controller traffic, including user accounts, which actually means taking control of the device.
Errors in authentication protection also allow compromising user passwords: due to the fact that the number of unsuccessful login attempts is imposed by too weak restrictions (CVE-2020-7508), an attacker could crack it using brute force. Further, he had the opportunity to develop an attack by exploiting a vulnerability that could increase account privileges (CVE-2020-7509). As a result, it is possible, for example, to erase the OS configuration files or install malware that provides remote control over a device from an ordinary user account.
In the Schneider Electric Easergy Builder software used to configure the Easergy T300 (HU250), Saitel DP and Saitel DR controllers, among others, researchers also identified a number of security issues. So, Easergy Builder stores and transmits in a clear form various critical information (CVE-2020-7517, CVE-2020-7516) up to encryption keys (CVE-2020-7517). Access to all device traffic is also possible due to the fact that Easergy Builder uses a weak, recoverable crypto algorithm for encrypting credentials (CVE-2020-7514).
In addition, the software does not have the ability to verify data entered by the user, therefore a malicious request formed in a specific way allows you to change the configuration parameters of the controller (CVE-2020-7518) and interfere with the management of electrical substations. Additionally, Easergy Builder allows users to set weak passwords (CVE-2020-7519), which also helps to reduce the overall level of security.