Security News > 2020 > May > If you miss the happier times of the 2000s, just look up today's SCADA gear which still has Stuxnet-style holes
"The impact is that a malicious actor can start and stop the PLC remotely without authenticating with the engineering software," said Trustwave's Seok Min Lim in an advisory this week, adding: "Our research shows that SoMachine Basic does not perform adequate checks on critical values used in the communications with PLC. The vulnerability can potentially be used to send manipulated packets to the PLC, without the software being aware of the manipulation."
Although Schneider's PLC design was only supposed to accept a single user session from the engineering software at a time, Trustwave was able to use Address Resolution Protocol poisoning to keep the session alive while logging out the real user.
"As part of the protocol specification, the PLC responded with a generic 'OK' message that was indistinguishable from the response to the 'Keep Alive' request. As a result, SoMachine Basic was tricked into thinking that 'Keep Alive' message is executed successfully. The software is unaware that the session with the PLC had ended," explained the Trustwave team.
A second vuln involved substituting DLLs to modify hard-coded values in commands sent to the PLC - similarly to how the infamous US-Israeli-made Stuxnet worm was used to knacker Iran's nuclear fuel centrifuges back in the 2000s.
Stuxnet, said Trustwave, "Side-loaded a malicious dynamic linked library, which is used by the software to communicate with the PLC. It intercepted and modified all the legitimate packets to the controllers and successfully uploaded malicious logic codes to change the [PLC] behaviors."