Flaw in Schneider PLC Programming Tool Allows Remote Attacks

Schneider Electric this week announced that an update for its EcoStruxure Machine Expert product patches a high severity vulnerability that can be exploited remotely to obtain sensitive data. EcoStruxure Machine Expert - Basic, formerly known as SoMachine Basic, is a lightweight tool designed for programming Schneider's Modicon M221 programmable logic controller (PLC). Gjoko Krstic, a researcher at industrial cybersecurity firm Applied Risk, discovered recently that SoMachine Basic 1.6.0 build 61653, 1.5.5 SP1 build 60148, and likely earlier versions are impacted by an XML external entity (XXE) vulnerability that can be exploited to launch an out-of-band (OOB) attack.

Tracked as CVE-2018-7783, the vulnerability can be exploited by a remote and unauthenticated attacker to read arbitrary files on the targeted system. These files can include sensitive information, including passwords, user data, and details about the system. For the attack to work, the hacker needs to convince the targeted user to open a specially crafted SoMachine Basic project or template file.

Learn More at SecurityWeek's ICS Cyber Security Conference "The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file," Krstic wrote in an advisory. The researcher also pointed out that in certain circumstances the flaw can also be exploited for arbitrary code execution and to cause a denial-of-service (DoS) condition.

Schneider Electric patched the vulnerability with the release of SoMachine Basic v1.6 SP1. Last month, at SecurityWeek's ICS Cyber Security Conference in Singapore, Krstic disclosed the details of a DoS vulnerability that affects safety controllers from several major vendors, including devices that are directly exposed to the Internet. In January, Schneider Electric informed customers that its Floating License Manager, a tool that helps organizations manage licenses for Schneider products, contained code execution, open redirect and DoS vulnerabilities due to the use of a third-party component named Flexera FlexNet Publisher.

The security holes were discovered in FlexNet Publisher in 2016 and 2017. One week ago, Schneider published another advisory to inform customers that these flaws also impact PlantStruxure PES. ICS-CERT has also published an advisory on Thursday for the Floating License Manager issues. Related: Schneider Electric Patches 16 Flaws in Building Automation Software

Related: Schneider Electric Development Tools Affected by Critical Flaw

Related: Schneider Electric Patches Several Flaws in IGSS Products

EU's New Data Protection Rules Come Into Effect

The European Union's new data protection laws came into effect on Friday, with Brussels saying the changes will protect consumers from being like "people naked in an aquarium". The EU's so-called General Data Protection Regulation (GDPR) has been blamed for a flood of spam emails and messages in recent weeks as firms rush to request the explicit consent of users to contact them. Even though the rules were officially adopted two years ago, with a grace period until now to adapt to them, companies have been slow to act, resulting in a last-minute scramble this week.

Britain's data protection watchdog, the Information Commissioner's Office (ICO), said that its site had experienced "a few interruptions" as the deadline loomed, but said that "everything is working now". Brussels insists that the laws will become a global benchmark for the protection of people's online information, particularly in the wake of the Facebook data harvesting scandal. "The new rules will put the Europeans back in control of their data," said EU Justice Commissioner Vera Jourova.

"When it comes to personal data today, people are naked in an aquarium." Companies can be fined up to 20 million euros (£24 million) or four percent of annual global turnover for breaching the strict new data rules for the EU, a market of 500 million people. - Explicit consent -

The law establishes the key principle that individuals must explicitly grant permission for their data to be used. The new EU law also establishes consumers' "right to know" who is processing their information and what it will be used for. People will be able to block the processing of their data for commercial reasons and even have data deleted under the "right to be forgotten".

Parents will decide for children until they reach the age of consent, which member states will set anywhere between 13 and 16 years old. The case for the new rules has been boosted by the recent scandal over the harvesting of Facebook users' data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election. The breach affected 87 million users, but Facebook said Wednesday it has found no evidence that any data from Europeans were sold to Cambridge Analytica.

Facebook chief Mark Zuckerberg said in a hearing at the European Parliament on Tuesday that his firm will not only be "fully compliant" with the EU law, but will also make huge investments to protect users. Zuckerberg said he was "sorry" for the Cambridge Analytica breaches, but also for its failure to crack down on election interference, "fake news" and other data misuses. - 'Global standard'

Big platforms like Facebook, WhatsApp and Twitter seem well prepared for the new laws, while smaller businesses have voiced concern. But EU officials say they are initially focusing on the big firms, whose business models use a goldmine of personal information for advertising, while offering smaller firms more time to adapt. Meanwhile Brussels has expressed impatience with the eight countries -- out of the EU's 28 -- that say they will not have updated their laws by Friday.

EU Commissioner Jourova said the new rules are setting "a global standard of privacy". Many Americans who once criticised Europe as too quick to regulate the new driver of the global economy now see the need for the GDPR, EU officials insist. "I see some version of GDPR getting quickly adopted at least in the United States," Param Vir Singh, a business professor at Carnegie Mellon University, told AFP in an email.

Japan, South Korea, India and Thailand are also drawing "some inspiration" from Brussels as they debate or adopt similar laws, another EU official said.

New Features Added to CERT Tapioca Tool

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University this week announced the launch of a new version of the network traffic analysis tool CERT Tapioca. CERT Tapioca was first released in 2014 as a network-layer man-in-the-middle (MITM) proxy virtual machine designed for identifying apps that fail to validate certificates and investigating the content of HTTP and HTTPS traffic. CERT Tapioca has been used to identify Android applications that fail to properly validate SSL certificates and expose users to MitM attacks.

More than one million apps have been checked and over 23,000 of them failed dynamic testing. The tool can be used to analyze network traffic not only on smartphones, but also on IoT devices, computers and VMs. Will Dormann, vulnerability analyst at CERT/CC and developer of CERT Tapioca, on Thursday announced the release of version 2.0, which introduces a graphical user interface and can be installed on multiple Linux distributions, including Red Hat, CentOS, Fedora, Ubuntu, OpenSUSE, and Raspbian.

CERT Tapioca 2.0 also allows users to set up a HOSTAP-compatible Wi-Fi adapter for wireless connectivity, and it can save results from multiple tested systems. In addition to checking HTTPS validation, verifying an application's use of modern cryptography standards, and observing the hosts contacted by an application, Tapioca now allows users to search network traffic for specified strings, such as passwords.

The CERT Tapioca 2.0 source code, along with additional details and usage instructions, are available on GitHub. Related: Kaspersky Releases Open Source Digital Forensics Tool Related: Secureworks Releases Open Source IDS Tools

Related: UK's GCHQ Spy Agency Launches Open Source Data Analysis Tool