Do you know Schneider Electric?
Great.
How about Schneider Electric’s flagship industrial controller management (ICM) software application that goes by the name of Unity Pro?
Great.
We guess we’re all done here aren’t we?
Nope.
We’re not.
Because Schneider Electric’s ICM software, Unity Pro, has a critical vulnerability.
It is so bad that it allows all sorts of hackers to execute malicious code on all industrial networks, REMOTELY.
You can thank Indegy, a firm that specializes in industrial cyber security, for the warning.
The firm discovered the Unity Pro critical vulnerability on Tuesday.
It also came out with a report that detailed the flaw found in Schneider Electric Unity Pro.
The Chief Technology Officer of Indegy, Mille Gandelsman, said that the Schneider Electric Unity vulnerability indeed presented a major concern for all parties.
He also urged all parties involved that they should run Schneider Electric Unity Pro software application with its latest version if they want to avoid running into problems with hackers.
As mentioned before, Schneider Electric Unity Pro is used by many to program and manage hundreds of millions of industrial controllers all over the world.
It is a Windows based software application for desktop computers.
Let’s Dissect Schneider Electric Unity Pro.
Gandelman told Threatpost in an interview that anyone who has access to the IP address of the machine that is running WIndows and Schneider Electric Unity Pro and an internet connection can take advantage of the exploit.
And hack the software.
And then run some malicious code on the machine’s hardware.
He likened the vulnerability as a crown jewel.
This jewel though, allows access to cyber thieves to the victim’s machine.
Once hackers have that level of access, the hacker can do whatever he/she wants to do with the industrial controllers.
Basically, the Schneider Electric Unity vulnerability isn’t something unheard of.
It is simply an arbitrary piece of code execution.
And it has become possible only because hackers can download a project file that is patched directly to the Unity Pro simulator.
Even worse, hackers can do that remotely.
Where Exactly Is This Flaw?
The critical flaw actually resides in a component of all things Schneider Electric.
Component of what?
We’re talking about the component of Schneider Electric Unity Pro software that goes by the name of Unity Pro PLC Simulator.
Users of this component make use of this component to test their industrial controllers.
That is what Indegy has said in its recent report.
Moreover, if a user wants to then the user can compile United projects as x86 instructions.
Then the user can load those projects onto its related PLC Simulator.
Then Unity Pro can deliver the whole package.
For clarity’s sake, the PLC simulator actually directly executes subsequent x96 instructions.
Hackers know how to make the impossible possible.
In other words, they know how they can execute malicious code via the simulator.
They can do so with a simple redirection.
Redirection of what?
Redirection of the control flow of such instructions.
They can do that by implanting a random piece of shell code wherever there is free space within a given Unity Pro project.
Then hackers can download and then execute the patched Unity Pro project directly to the PLC simulator.
Most Sensitive Time
What enables hackers to exploit this vulnerability without much difficulty?
Well, honestly speaking, there is no such thing as an easy job when it comes to hacking computer machines.
However, there are certain things that the target machine’s user can do in order to make the job easier for hackers and other cyber criminals.
For example, hackers can use this Unity vulnerability quite easily on computers which have application programs that are loaded into the PLC simulator without any password protection.
Computers which have no application programs loaded into their PLC simulator also present an easy target for hackers.
But what do hackers really want when it comes to a target computer?
Well, hackers want control.
They want access.
This way they can actually impact a company’s production process.
Of course, we’re talking about production processes that rely on industrial controller system physical environments.
Which environments are these?
Well these environments include,
- Turbines
- Smart meters
- Valves
- centrifuges
Gandelsman also noted that if a hacker achieves this level of access then the hacker can use that access to modify the drug recipes that are in use.
The company may think it is manufacturing the correct product with its industrial control systems, but they may actually not.
Hackers can also cut the power to the power grid of a whole city.
That’s how dangerous such levels of access are in real life.
Gandelsman On Unity Pro Vulnerabilities In The Media
Gandelsman also presented his findings along with his research at the Industrial Control Systems Cyber Security conference back in 2016.
While presenting his findings in Atlanta, Ga just a week ago he noted that security researchers discovered this Unity vulnerability about six months ago.
Back then, researchers disclosed their findings to Schneider Electric as well.
The good news is that Schneider Electric listened to and acted on these vulnerabilities.
And then came out with a patch that secured networks against the Unity vulnerability.
The folks over at Indegy believe that the Unity vulnerability can affect all control networks that make use of Schneider Electric industrial controllers.
Schneider Electric came out with a response on October 14 and said that the company had recognized the flaw.
Schneider Electric also issued a notification for all its customers.
The company said that the Unity vulnerability only existed as a random code execution process.
In other words, hackers would have to remotely download a project file in the form of a patch and then install it to the Unity Pro Simulator.
The Indegy research also says that the Unity vulnerability is present because of an inherent fault within the Unity Pro system.
What is That Unity Pro Fault?
That fault is basically how Unity Pro works.
In other words, the Unity Pro allows users to execute any code remotely and on any given computer which has Unity Pro on it.
Moreover, it allows users to have debug privileges as well.
As you can probably imagine, this gives hackers an easy way to infect systems and wreak destruction.
Indegy also released a brief report on the Unity vulnerability and said the same thing.
It also said that the Unity vulnerability affects almost all versions of the Unity Pro software.
And that includes the latest version of Unity Pro.
Of course, that is all according to Indegy research.
Moreover, Indegy also points out that hackers don’t need to compromise the industrial controls in order to exploit the Unity vulnerability.
Of course, we are talking strictly about an Industrial Control System network here.
Any way, Indegy believes industrial controllers are at risk because they lack proper authentication.
Moreover, most of the industrial communications also lack proper encryption protocols.
Indegy also said that it didn’t matter if users used SCADA or DCS software applications on the network or computer machine.
If a system had Schneider Electric controllers install on it, or deployed, then the system has to make use of Unity Pro software on its engineering workstations as well.
All of this, makes it a bit easier for hackers to carry out an attack on virtually any given process that these PLCs control.
Schneider Electric Response On The Vulnerability.
Schneider Electric has come out with a detailed description of the Unity vulnerability.
The company has said that the Unity vulnerability comes down to a fundamental flaw that exists in their product.
Basically, a machine compiles the Unity project but does so as x86 instructions and then loads the Unity projects onto the company’s PLC simulator or programmable logic controller simulator.
The company says that it is entirely possible that hackers can force the simulator to execute a malicious piece of code.
They can do so by changing the direction of the control flow that is involved with these x86 instructions.
Hackers can also implant shell code right into the free space of any given Unity Pro project.
After that, hackers can download the patched Unity project and then execute its code on the PLC simulator.
Reporters also asked Gandelsman if hackers had used the Unity vulnerability to exploit the public at large.
Gandelsman said that he could not address the issue.
He pointed out that security researchers had detected the Unity vulnerability and he could say nothing more than that.
Perhaps we should also mention here that when inquired for comments, Schneider Electric did not bother to respond to those.
Gandelsman said that the Unity vulnerability represented the worse possible flaw the company could have expected.
Schneider Recommendations To Combat This Vulnerability.
Thankfully, Schneider Electric has already come out with mitigation measures against the Unity vulnerability.
The guidelines against Unity vulnerability are as follows,
- The company, by default, will not allow users to launch simulators without the presence of an associated Unity Pro application.
This will go in effect for all versions starting from Unity Pro v11.1 - Users will have the option to select their preferred Unity Pro default applications.
The simulator will then launch these applications.
The user also has the responsibility to protect the related application programs.
The easiest way to do so is with the help of a password. - Once a user has protected an application with a password and has loaded the application onto the Unity Pro simulator, then the software will not allow the user to modify or load the application in questions without proper authentication.
Concluding But Important Notes For The Unity vulnerability
The burden of responsibility is on the user to protect the company’s applications via a strong password.
Schneider Electric came out with a report that discussed several vulnerabilities that affected its modules.
Most of these modules supported Schneider Electric’s Factory Cast Modbus features.
Researchers also identified another Schneider Electric bug just last year.
Back then, they also managed to tie the bug to a series of dangerous vulnerabilities.
Almost all of these vulnerabilities fell into the domain of authentication and credential verification problems.
Needless to say, researchers found these vulnerabilities in some Schneider Electric HMI products.
Two of them for accuracy’s sake.
Researchers said that a hacker could have used the exploits to run arbitrary malicious code on these products.
The US Industrial Control System Cyber Emergency Response Team also released a report back in September.
The officials involved with that report concluded that some long-term issues continued to plague SCADA systems as well as Industrial Control Systems.
Moreover, the report identified some areas where the official thought the industry did not pay much attention to.
Some of those areas are as follows,
- Lack of proper access controls that limit the user’s unauthorized access
- Bad software application code quality
- Absence and sometimes weakening of cryptographic security.
Especially in areas that involved network communications and data protection.
The report said that the industry itself had to address these issues adequately before hackers can cause a massive amount of damage to the industry.