2 EIO0000003313 12/2018 The information provided in this documentation contains general descriptions and/or technical The attack was disclosed to Schneider Electric and the details on vulnerability CVE-2017-6034 were updated on 13 August. Examples of control plane activities are to stop the PLC or download new ladder logic to the PLC. When the engineer completes his task, he can click the “Logout” button to disconnect the PLC from the engineering workstation. The attack was disclosed to Schneider Electric and the details on vulnerability CVE-2017-6034 were updated on 13 August.The threat actors managed to execute the attack successfully because the Step 7 software did not check for the integrity of the malicious DLL when it was loaded. At any time, each PLC will only accept login from one instance of SoMachine Basic.This method of replay works for various control plane commands, including stopping the PLC and downloading ladder logic to the PLC.In the second, we present a vulnerability in the SoMachine Basic v1.6 engineering software. An attacker will not be able to execute commands at will if there is an existing session with a legitimate SoMachine Basic. While most of these implementations are protected to a certain extent by unique complexity, 24/7 monitoring, and built-in fault tolerance and redundancy, vulnerabilities and attacks targeting them should not be discounted.One of our sales specialists will be in touch shortly.The protocol used to send control commands to M221 PLC is based on standard Modbus TCP/IP, which is an open specification. An example of data plane activity is to retrieve the readings from the sensors. Our research shows that SoMachine Basic does not perform adequate checks on critical values used in the communications with PLC. The first few bytes are the standard Modbus Application Header (MBAP) and standard Modbus Function Code that are described in the standard Modbus specification. The packet is forwarded to the PLC.Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.To speak to a Trustwave representative.If we draw a parallel to IT environments, control or administrative activities should require higher privilege levels (e.g. M221 reads the control command code to determine its action.Following the inter-procedural control flow graph, we found that the hard-coded values were never checked or verified. However, the team has found that it is possible to bypass software authentication by replaying previously captured packets in the network. Figure 6 highlighted some of the functions.We present two attacks on SoMachine Basic v1.6 and Schneider Electric M221 (Firmware 1.6.2.0) Programmable Logic Controller (PLC).In the first, we are able to intercept, manipulate, and re-transmit control plane commands between the engineering software to the PLC.
In our research, the engineering software is SoMachine Basic v1.6 and the PLC it communicates with is Schneider Electric M221.In the first attack, there are two things significant about the outcome here. Second the attacker is now able to establish a session with the PLC and, using replay techniques, send control commands (e.g. Unlike data-plane activities, control plane activities are usually communicated in ways that are unnamed, undocumented, and specific to the OT vendor.Contact a Trustwave solution specialist.We reversed engineered the software to identify the command codes.The controller processed the modified packet and terminated the session with the legitimate software. At Level 0, an ICS network has sensors and actuators that interact with the physical processes of the network. This enables a threat actor to patch the DLL, modify the values, and change the intended behaviors of the packets.This research work is performed by our Global OT/IoT security research team as part of our research into authentication and authorization implementations in ICS networks.We use the Purdue Reference Model shown in Figure 1 to orientate the reader to the functionalities of the components in an industrial control systems (ICS) network. For instance, he could modify all the hard-coded values to run “Stop PLC” commands and the operator will lose control over the PLC.