Kaspersky ICS CERT reveals “secrets” in Schneider UMAS protocol

UMAS (Unified Messaging Application Services) is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers. The use of protocol is very widespread among different industries. The issues described by Kaspersky ICS CERT experts refer to unauthorized access to the programmable logic controller (PLC) and ways cybercriminals take to bypass authentication.

In 2020, the vulnerability, CVE-2020-28212, was reported, which could be exploited by a remote unauthorized attacker to gain control of a programmable logic controller (PLC) with the privileges of an operator already authenticated on the controller. To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorized access to PLCs and unwanted modifications.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, which was identified in the course of the research, could allow a remote attacker to make changes to the PLC, bypassing authentication.

As the researchers investigated, the main problem was that the authentication data used to “reserve” the device for modification was computed entirely on the client side, and the “secret” used could be obtained from PLC without authentication.

Schneider Electric published an advisory with a remediation addressing the vulnerabilities. Kaspersky ICS CERT in turn recommends to additionally use network monitoring and deep industrial protocol analysis solutions such as Kaspersky Industrial CyberSecurity for Networks, to monitor and control remote access attempts to PLC devices.

“The threat landscape is constantly evolving, and an organization’s security strategy must constantly evolve as well to meet new challenges. Today, building cyber security system is not an end-state, but a continuous proactive process – that is proved by the example of the UMAS protocol. We’re grateful that Schneider Electric managed to respond that rapidly to the discovered vulnerabilities and provide its clients with appropriate solution and recommendations. However, our advice to all responsible for security within an enterprise is to implement special solutions,” - comments Pavel Nesterov, a security expert at ICS CERT Kaspersky.

Learn more about Schneider Electric’s UMAS protocol and its “secrets” on ICS CERT.

To keep your ICS computers protected from various threats, Kaspersky experts recommend:

·       Regularly update operating systems and application software that are part of the enterprise’s network. Apply security fixes and patches to IT and OT network equipment as soon as they are available

·       Conduct regular security audits of IT and OT systems to identify and eliminate possible vulnerabilities

·       Use ICS network traffic monitoring, analysis, and detection product Kaspersky Industrial CyberSecurity for Networks for better protection from attacks which potentially threaten technological processes and main enterprise assets. The special Command Control module detects the exploitation of vulnerabilities in UMAS protocol, when an attacker attempts to execute the command "Reserve controller". Another module Network Integrity Control registers unauthorized network connections. All events are combined into an incident and sent to the administrator for further investigation.

·       Put in place dedicated security training for IT security teams and OT engineers, to improve response to new and advanced malicious techniques

·       Provide the security team responsible for protecting industrial control systems with up-to-date threat intelligence. Our ICS Threat Intelligence Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements in OT and industrial control systems and how to mitigate them