U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Advisory (ICSA-16-306-03)

Schneider Electric Unity PRO Control Flow Management Vulnerability

Original release date: November 01, 2016

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



OVERVIEW

Avihay Kain and Mille Gandelsman of Indegy have identified a vulnerability in Schneider Electric Unity PRO Software product. Schneider Electric has released a security notification with instructions to mitigate this vulnerability.

This vulnerability could be exploited remotely.

AFFECTED PRODUCTS

Schneider Electric reports that the vulnerability affects the following versions of Unity PRO:

  • Unity PRO, all versions prior to V11.1

IMPACT

An attacker who misleads a valid user into loading a specially crafted malicious file into Unity Simulator could remotely execute arbitrary code.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

Schneider Electric’s corporate headquarters is located in Paris, France, and it maintains offices in more than 100 countries worldwide.

The affected product, Unity PRO, is development software used to test, debug, and manage applications. According to Schneider Electric, Unity PRO is deployed across most sectors including Commercial Facilities and Energy. Schneider Electric estimates that this product is used worldwide.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

INSUFFICIENT CONTROL FLOW MANAGEMENTa

Unity projects can be compiled as x86 instructions and loaded onto the PLC Simulator delivered with Unity PRO. These x86 instructions are subsequently executed directly by the simulator. A specially crafted patched Unity project file can make the simulator execute malicious code by redirecting the control flow of these instructions.

CVE-2016-8354b has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).c

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability could be exploited remotely.

EXISTENCE OF EXPLOIT

Detailed vulnerability information is publicly available that could be used to develop an exploit that targets this vulnerability.

DIFFICULTY

Crafting a working exploit for this vulnerability would be difficult. Social engineering is required to convince the user to accept the patched program file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.

MITIGATION

This vulnerability is made possible when no application program has been loaded in the simulator or when the application program loaded in the simulator is not password protected.

Schneider Electric recommends the following mitigation practices:

  • Upgrade to Unity PRO Version 11.1. By default, it is not possible to launch this version of the simulator without any Unity PRO application associated.
  • Exercise caution in selecting which project files are executed by the simulator. Do not trust files that come from unknown or untrusted sources.
  • Use strong passwords to protect applications. It is not possible to load or to modify this application without being authenticated once the password protected application has been loaded onto the simulator.

For more information on this vulnerability and more detailed mitigation instructions, please see Schneider Electric security notification SEVD-2016-288-01 at the following location:

http://www.schneider-electric.com/ww/en/download/document/SEVD-2016-288-01

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should take the following measures to protect themselves from social engineering attacks:

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top