Subscribe
About

Vulnerabilities in Schneider UMAS protocol uncovered

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 17 Oct 2022

By exploiting vulnerabilities on Schneider Electric’s proprietary Unified Messaging Application Services (UMAS) protocol, attackers could gain access to an entity’s entire automation system.

This was revealed by Kaspersky ICS CERT which investigated this highly popular protocol, that is used in multiple industries, from manufacturing to elevator control systems.

The UMAS protocol is used to configure, monitor, collect data and control Schneider Electric industrial controllers, and is very widespread among different industries. The issues described by Kaspersky’s experts refer to unauthorised access to the programmable logic controller (PLC) and ways bad actors can bypass authentication.

In 2020, the vulnerability, CVE-2020-28212, was reported, which could be exploited by a remote unauthorised attacker to gain control of a PLC with the privileges of an operator already authenticated on the controller.

To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorised access to PLCs and unwanted modifications.

Bypassing authentication

However, the analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, which was identified in the course of the research, could enable a remote attacker to make changes to the PLC, thereby bypassing authentication.

As the researchers investigated, the main problem was that the authentication data used to “reserve” the device for modification was computed entirely on the client side, and the “secret” used could be obtained from PLC without authentication.

Schneider Electric published an advisory with a remediation that addressed the vulnerabilities. Kaspersky, in turn, recommends also using network monitoring and deep industrial protocol analysis solutions to monitor and control remote access attempts to PLC devices.

Pavel Nesterov, a security expert at ICS CERT Kaspersky, says the threat landscape is evolving, and businesses’ security strategies must also evolve to meet new challenges.

“Today, building cyber security system is not an end-state, but a continuous proactive process – that is proved by the example of the UMAS protocol,” he adds.

Kaspersky is grateful that Schneider Electric managed to respond rapidly to the discovered vulnerabilities and provide its clients with an appropriate solution and recommendations.

Share