Schneider Electric Modicon M221 PLCs and SoMachine Basic Use of Hard-Coded Cryptographic Key (CVE-2017-7574)

critical Tenable OT Security Plugin ID 500298

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded- key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a password. This XML file is AES-CBC encrypted; however, the key used for encryption (SoMachineBasicSoMachineBasicSoMa) cannot be changed. After decrypting the XML file with this key, the user password can be found in the decrypted data. After reading the user password, the project can be opened and modified with the Schneider product.

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Schneider Electric recommends that users store project files in secure, access-restricted locations and encrypt project files with reputable third party file encryption tools.

On June 14, 2017, Schneider Electric released firmware v1.5.1.0 and associated SoMachineBasic V1.5SP1. The new version uses an enhanced encryption mechanism and prevents M221 from returning the password. Users may download SoMachineBasic V1.5SP1 (including firmware v1.5.1.0) from the Schneider Electric web site at the following location:

http://www.schneider-electric.com/en/download/document/SOMBASAP15SP1SOFT/

or by using Schneider Electric Software Update tool.

Schneider Electric’s security notice SEVD-2017-097-01 is available at the following location:

http://www.schneider-electric.com/en/download/document/SEVD-2017-097-01/

Schneider Electric’s security notice SEVD-2017-097-02 is available at the following location:

http://www.schneider-electric.com/en/download/document/SEVD-2017-097-02/

See Also

https://os-s.net/advisories/OSS-2017-02.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-17-103-02a

http://www.securityfocus.com/bid/97518

http://www.nessus.org/u?6f09e632

http://www.nessus.org/u?225e045b

Plugin Details

Severity: Critical

ID: 500298

Version: 1.10

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-7574

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:schneider-electric:modicon_tm221ce16r_firmware:1.3.3.3

Required KB Items: Tenable.ot/Schneider

Exploit Ease: No known exploits are available

Patch Publication Date: 4/6/2017

Vulnerability Publication Date: 4/6/2017

Reference Information

CVE: CVE-2017-7574

CWE: 798

ICSA: 17-103-02