Schneider Electric Easergy T-серия Controllers of automation of transformer substations

2020: Detection of the vulnerability allowing to receive full control over industrial equipment

Ilya Karpov and Evgeny Druzhinin, experts of "Laboratory of cyber security of an APCS the" of Rostelecom-Solar company which is a part of PJSC Rostelecom revealed a number of vulnerabilities in the industrial equipment of Schneider Electric used for management of power supply systems. Among them there is a row critical, allowing to intercept control over the device or to achieve a complete stop of its work. Rostelecom-Solar reported about it to TAdviser on July 7, 2020.

Critical vulnerabilities allow to receive full control over industrial equipment of Schneider Electric. On a photo: Schneider Electric Easergy T300 controller

The research of security was conducted concerning the firm ware of the controller for automation of transformer substations of Schneider Electric Easergy T300 (HU250) and the software of Schneider Electric Easergy Builder deliverable separately which is used for setup of a configuration of such equipment. Experts of "Laboratory of cyber security of an APCS" Rostelecom-Solar announced vendor the revealed vulnerabilities and also transferred information to FSTEC of Russia for the publication in "A databank of security risks of information" (BDU: 20220-02720 – BDU: 2020-02736). For July 7, 2020 security updates are available to Easergy T300 and Easergy Builder on the website Schneider Electric.

Schneider Electric Easergy T300 controllers and also Saitel DP and Saitel DR which are controlled with the help of software of Easergy Builder are used by the electric grid and infrastructure companies worldwide, including in the Smart Grid systems. Power supply of the population, hospitals, schools, transport infrastructure and other socially important objects depends on their work. Not always connection of such devices to data networks is performed with observance of best practices therefore the equipment can be available to the attacks of the Internet. For this reason for similar devices it is especially important to have the reliable built-in information security tools. - Jan Sukhikh, the head of department of cyber security of an APCS of Rostelecom-Solar company emphasized.

Check of security of the Easergy T300 Web server showed that it is vulnerable to the attack of cross-site substitution of requests (CVE-2020-7503). Its scenario consists in the following: the malefactor creates the harmful page operating this vulnerability. If on it the user authorized on the Web server of the Easergy T300 controller from his name to the server gets commands which accomplishment can lead to an incorrect configuration of the controller and, as a result, accidents, an equipment output out of operation or to blackout will be sent.

A number of serious problems is connected with implementation of enciphering on the device. Researchers found out that the code of the controller contains several vulnerabilities capable completely to level cryptographic protection of transmitted data – the malefactor can receive closed encryption keys (CVE-2020-7510), cryptoalgorithms are insufficiently steady against cracking (CVE-2020-7511), and certain sensitive information, such as logins and passwords of users, is stored and transferred without use of enciphering (CVE-2020-7513) at all. Operation of these vulnerabilities can give to the cybercriminal access to all traffic of the controller, including accounts of users that actually means receiving control over the device.

Also errors in authentication security allow to compromise passwords of users: because on the number of unsuccessful attempts of an input in an account too weak restrictions (CVE-2020-7508) are imposed, the malefactor can crack it using the automated search of passwords (brute force). Further it has an opportunity to develop the attack, operating vulnerability which allows is illegitimate to increase the privileges of an account (CVE-2020-7509). As a result from under an account of the normal user it is possible to erase, for example, configuration files OS or to set the malware providing remote control over the device.

In the software of Schneider Electric Easergy Builder applied to a configuration of Easergy T300 controllers (HU250), Saitel DP and Saitel DR and others researchers also detected a number of problems with security. So, Easergy Builder stores and transfers different crucial information (CVE-2020-7517, CVE-2020-7516) in open form up to encryption keys (CVE-2020-7517). It is possible to get access access to all traffic of the device and thanks to the fact that in Easergy Builder the weak, recovered cryptoalgorithm (CVE-2020-7514) is applied to enciphering of credentials.

Besides, in the software there is no verifiability of the data entered by the user therefore the harmful request created definitely gives the chance to change configuration settings of the controller (CVE-2020-7518) and to interfere with management of power substations. In addition Easergy Builder allows users to set weak passwords (CVE-2020-7519) that also promotes decrease in the overall level of security.