Trustwave discovered another Stuxnet-like vulnerability in Schneider Electric software, in particular in EcoStruxure Machine Expert (formerly SoMachine), which allows creating projects on Modicon M221 programmable logic controllers.
The vulnerability description CVE-2020-7489 is exactly the same as the CVE-2020-7475 vulnerability discovered in March this year in the EcoStruxure Control Expert software (formerly called Unity Pro). Both vulnerabilities allow you to load arbitrary code onto the Modicon PLC by replacing the program file associated with the program, which can lead to a malfunction in production processes and other damage. According to the CVSS hazard assessment system, both problems received 8.2 points out of a maximum of 10.
According to Trustwave experts, the operation of CVE-2020-7489 requires access to the SoMachine environment and the target PLC. To implement the DLL file, the attacker will have to use the context of the local user authorized to run the software. Administrative access is not required unless SoMachine has been installed and isolated exclusively for use by the administrator. Although such systems can be physically isolated from the Internet, the Stuxnet malware example shows that exploiting their vulnerabilities in real attacks is possible.
Schneider Electric has released a fix for both vulnerabilities.