Cyble New ICS Vulnerabilities Discovered in Schneider Electric and B&R Automation Systems

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued two urgent advisories regarding serious ICS vulnerabilities in industrial control systems (ICS) products. These ICS vulnerabilities, identified in Schneider Electric’s RemoteConnect and SCADAPack x70 Utilities, as well as B&R Automation’s Runtime software, pose online risks to critical infrastructure systems worldwide. The ICS vulnerabilities, if exploited, could lead to potentially devastating impacts on the integrity, confidentiality, and availability of systems within energy, critical manufacturing, and other essential sectors.

Schneider Electric’s Vulnerability in RemoteConnect and SCADAPack x70 Utilities

The ICS vulnerability in Schneider Electric’s RemoteConnect and SCADAPack x70 Utilities arises from the deserialization of untrusted data, identified as CWE-502. This flaw could allow attackers to execute remote code on affected workstations, leading to several security risks, including the loss of confidentiality and integrity. The issue is triggered when a non-admin authenticated user opens a malicious project file, which could potentially be introduced through email, file sharing, or other methods.

Schneider Electric has assigned the CVE identifier CVE-2024-12703 to this vulnerability, with a base CVSS v3 score of 7.8 and a CVSS v4 score of 8.5. Both versions highlight the severity of the issue, with potential consequences including unauthorized remote code execution.

This vulnerability affects all versions of both RemoteConnect and SCADAPack x70 Utilities, products widely deployed in sectors such as energy and critical manufacturing across the globe. Although Schneider Electric is working on a remediation plan for future product versions, there are interim steps that organizations can take to mitigate the risk. These include:

  • Only opening project files from trusted sources

  • Verifying file integrity by computing and checking hashes regularly

  • Encrypting project files and restricting access to trusted users

  • Using secure communication protocols when exchanging files over the network

  • Following established SCADAPack Security Guidelines for added protection

CISA recommends minimizing the network exposure of control system devices, ensuring they are not directly accessible from the internet, and placing control system networks behind firewalls to isolate them from business networks. When remote access is necessary, using secure methods like Virtual Private Networks (VPNs) is strongly advised. However, organizations should ensure that VPNs are regularly updated and adequately secured.

B&R Automation Runtime Vulnerability

The second advisory concerns a vulnerability in B&R Automation Runtime, a key software used in industrial control systems. The flaw arises from the use of a broken or risky cryptographic algorithm in the SSL/TLS component of B&R Automation Runtime versions prior to 6.1 and B&R mapp View versions prior to 6.1. Unauthenticated network-based attackers could exploit this vulnerability to impersonate legitimate services on impacted devices, creating opportunities for unauthorized access.

B&R Automation assigned CVE-2024-8603 to this vulnerability, which is identified as CWE-327. The CVSS v3 base score for this flaw is 7.5, indicating a moderately high risk to the affected systems. This vulnerability is especially concerning as it is exploitable remotely, with low attack complexity, making it a viable target for attackers seeking to compromise ICS environments.

The affected products are used worldwide, primarily in the critical manufacturing sector. B&R Automation has released an update (version 6.1) that corrects the issue, and users are strongly encouraged to apply this update to mitigate the risk. In the meantime, CISA recommends several mitigation strategies to limit exposure, including:

  • Applying the update to B&R Automation Runtime and B&R mapp View products as soon as possible

  • Minimizing network exposure for all control system devices to prevent direct internet access

  • Implementing firewalls and isolating control system networks from business networks

  • Utilizing VPNs for remote access while ensuring that VPNs are kept up-to-date and secure

Conclusion

While no known public exploits targeting these vulnerabilities have been reported to CISA at the time of publication, the discovery of these flaws in Schneider Electric and B&R Automation products highlights the ongoing risks facing critical infrastructure sectors. Exploiting vulnerabilities in ICS products can lead to serious consequences, including data breaches, operational disruptions, and physical damage to infrastructure.

These incidents emphasize the urgent need for organizations to adopt proactive cybersecurity measures, such as regular patching, file integrity verification, and secure network configurations. By following CISA’s guidance and implementing comprehensive defense-in-depth strategies, organizations can better protect their systems from both known and emerging threats, ultimately reducing their exposure to cyber risks and ensuring the security of critical assets.

References:

The post New ICS Vulnerabilities Discovered in Schneider Electric and B&R Automation Systems appeared first on Cyble.