Kaspersky ICS CERT investigated on Unified Messaging Application Services (UMAS) by Schneider Electric and the vulnerabilities of this highly popular protocol, which is used in multiple industries – from manufacturing to elevator control systems.
By exploiting described vulnerabilities, attackers could gain access to the whole automation system of an entity.
UMAS (Unified Messaging Application Services) is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers. The use of protocol is very widespread among different industries.
The issues described by Kaspersky ICS CERT experts refer to unauthorised access to the programmable logic controller (PLC) and ways cybercriminals take to bypass authentication.
In 2020, the vulnerability, CVE-2020-28212, was reported, which could be exploited by a remote unauthorised attacker to gain control of a programmable logic controller (PLC) with the privileges of an operator already authenticated on the controller.
To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorised access to PLCs and unwanted modifications.
An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws.
The CVE-2021-22779 vulnerability, which was identified in the course of the research, could allow a remote attacker to make changes to the PLC, bypassing authentication.
As the researchers investigated, the main problem was that the authentication data used to “reserve” the device for modification was computed entirely on the client side, and the “secret” used could be obtained from PLC without authentication.
Schneider Electric published an advisory with a remediation addressing the vulnerabilities. Kaspersky ICS CERT in turn recommends to additionally use network monitoring and deep industrial protocol analysis solutions such as Kaspersky Industrial CyberSecurity for Networks, to monitor and control remote access attempts to PLC devices.
“The threat landscape is constantly evolving, and an organisation’s security strategy must constantly evolve as well to meet new challenges. Today, building cyber security system is not an end-state, but a continuous proactive process – that is proved by the example of the UMAS protocol. We’re grateful that Schneider Electric managed to respond that rapidly to the discovered vulnerabilities and provide its clients with appropriate solution and recommendations. However, our advice to all responsible for security within an enterprise is to implement special solutions,” comments Pavel Nesterov, a security expert at ICS CERT Kaspersky.