Back in January, ICS-CERT issued an alert for four vulnerabilities in three Schneider Electric products; vulnerabilities that were reported by Arthur Gervais during the S4 Conference held by Digital Bond. The update to that alert published today reports that two of those vulnerabilities were not really vulnerabilities.
M340 PLC Resource Exhaustion
ICS-CERT reports that:
“In Schneider Electric’s testing on the reported issue, the module does in fact stop communicating when the connection limit is exceeded, but the PLC continues its control functions and its operation is unaffected.”
The resulting soft-reset of the communications module would not allow a remote exploit of the vulnerability to deny PLC control functions. From this brief description it seems to me that, depending on how easy it is to cause the system to exceed the connection limit, this still could allow an attacker to cause a loss of view of the system. While that is not as nearly a serious matter as loss of control, it would still be an exploitable vulnerability.
Magelis XBT Hardcoded Credentials
ICS-CERT notes that the reported hardcoded credential in the HMI panel is a factory default password for the security mode that is used to enable remote configuration uploads. The updated alert states that once “the user supplies a new password, the factory default password is no longer valid.” I find it hard to believe that an experienced security researcher would confuse an erasable default password with a hardcoded password, but mistakes do happen.
If this had been a coordinated disclosure, ICS-CERT would have gone back to Arthur to confirm the information reported by Schneider. Since this was an uncoordinated disclosure, that does not appear to have been done. Hopefully, ICS-CERT has independently confirmed the Schneider interpretation of the situation involved in these reported vulnerabilities. There is no statement in the revised alert indicating that this has happened.
There is a document marking system employed on this updated alert that I have not seen employed by ICS-CERT before on their alerts or advisories; the Traffic Light Protocol. This document is marked “TLP = WHITE”.
US CERT has a Traffic Light Protocol page on its web site that explains the marking system. It explains that:
“The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors [Red, Amber, Green – hence ‘traffic light’ – and White) to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s).”
The page also explains where the program falls within the Controlled Unclassified Information (CUI) program established by Executive Order 13556:
“The Controlled Unclassified Information (CUI) program seeks to standardize the way U.S. Executive departments and agencies handle sensitive but unclassified (SBU) information, including information marked as "For Official Use Only (FOUO)," "Law Enforcement Sensitive (LES)," and others. It should be noted that the TLP designations are not a category or sub-category under the CUI program.”
So it seems that US CERT is violating the spirit of EO 13556. I have to emphasize that it can only violate the spirit of the EO since the regulations that were supposed to have been published back in 2011 have yet to be published.