Kaspersky ICS CERT reveals “secrets” in Schneider UMAS protocol

Woburn, MA – September 19, 2022 —  Kaspersky ICS CERT investigated Unified Messaging Application Services (UMAS) by Schneider Electric and discovered vulnerabilities in this highly popular protocol used in multiple industries including manufacturing to elevator control systems. If attackers were to exploit the learned vulnerabilities, they could gain access to the whole automation system of an entity.

UMAS is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers. The use of protocol is widespread among different industries. The concerns outline by Kaspersky ICS CERT experts refer to unauthorized access to the programmable logic controller (PLC) and ways cybercriminals could bypass authentication.

In 2020, the CVE-2020-28212 vulnerability was reported, which could be exploited by a remote unauthorized attacker to gain control of a programmable logic controller (PLC) with the privileges of an operator already authenticated on the controller. To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorized access to PLCs and unwanted modifications.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, which was identified in the course of the research, could allow a remote attacker to make changes to the PLC and bypass authentication.

As the researchers investigated, the main problem was that the authentication data used to “reserve” the device for modification was computed entirely on the client side, and the “secret” used could be obtained from PLC without authentication.

Schneider Electric published an advisory with a remediation addressing the vulnerabilities. Kaspersky ICS CERT in turn recommends to additionally use network monitoring and deep industrial protocol analysis solutions to monitor and control remote access attempts to PLC devices.

“The threat landscape is constantly evolving, and an organization’s security strategy must constantly evolve as well to meet new challenges,” said Pavel Nesterov, a security expert at ICS CERT Kaspersky. “Today, building cyber security system is not an end-state, but a continuous proactive process that is proved by the example of the UMAS protocol. We’re grateful that Schneider Electric managed to respond that rapidly to the discovered vulnerabilities and provide its clients with appropriate solution and recommendations. However, our advice to all responsible for security within an enterprise is to implement special solutions.”

Learn more about Schneider Electric’s UMAS protocol and its “secrets” on ICS CERT.

To keep your ICS computers protected from various threats, Kaspersky experts recommend:

• Regularly update operating systems and application software that are part of the enterprise’s network. Apply security fixes and patches to IT and OT network equipment as soon as they are available
• Conduct regular security audits of IT and OT systems to identify and eliminate possible vulnerabilities
• Use ICS network traffic monitoring, analysis, and detection product Kaspersky Industrial CyberSecurity for Networks for better protection from attacks which potentially threaten technological processes and main enterprise assets. The special Command Control module detects the exploitation of vulnerabilities in UMAS protocol, when an attacker attempts to execute the command "Reserve controller". Another module Network Integrity Control registers unauthorized network connections. All events are combined into an incident and sent to the administrator for further investigation.
• Put in place dedicated security training for IT security teams and OT engineers, to improve response to new and advanced malicious techniques
• Provide the security team responsible for protecting industrial control systems with up-to-date threat intelligence. Our ICS Threat Intelligence Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements in OT and industrial control systems and how to mitigate them

About Kaspersky ICS CERT

Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. Kaspersky ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats. ics-cert.kaspersky.com.