Kaspersky team reveals “secrets” in Schneider UMAS protocol

Kaspersky ICS CERT investigated on Unified Messaging Application Services (UMAS) by Schneider Electric and the vulnerabilities of this highly popular protocol, which is used in multiple industries – from manufacturing to elevator control systems. By exploiting described vulnerabilities, attackers could gain access to the whole automation system of an entity. 

UMAS (Unified Messaging Application Services) is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers. The use of protocol is very widespread among different industries. The issues described by Kaspersky ICS CERT experts refer to unauthorised access to the programmable logic controller (PLC) and ways cybercriminals take to bypass authentication.

In 2020, the vulnerability, CVE-2020-28212, was reported, which could be exploited by a remote unauthorised attacker to gain control of a programmable logic controller (PLC) with the privileges of an operator already authenticated on the controller. To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorised access to PLCs and unwanted modifications.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, which was identified in the course of the research, could allow a remote attacker to make changes to the PLC, bypassing authentication.

As the researchers investigated, the main problem was that the authentication data used to “reserve” the device for modification was computed entirely on the client side, and the “secret” used could be obtained from PLC without authentication.

Schneider Electric published an advisory with a remediation addressing the vulnerabilities. Kaspersky ICS CERT in turn recommends to additionally use network monitoring and deep industrial protocol analysis solutions such as Kaspersky Industrial CyberSecurity for Networks, to monitor and control remote access attempts to PLC devices.

“The threat landscape is constantly evolving, and an organisation’s security strategy must constantly evolve as well to meet new challenges. Today, building cyber security system is not an end-state, but a continuous proactive process – that is proved by the example of the UMAS protocol. We’re grateful that Schneider Electric managed to respond that rapidly to the discovered vulnerabilities and provide its clients with appropriate solution and recommendations. However, our advice to all responsible for security within an enterprise is to implement special solutions,” comments Pavel Nesterov, a security expert at ICS CERT Kaspersky. 

To keep your ICS computers protected from various threats, Kaspersky experts recommend:

  • Regularly update operating systems and application software that are part of the enterprise’s network. Apply security fixes and patches to IT and OT network equipment as soon as they are available
  • Conduct regular security audits of IT and OT systems to identify and eliminate possible vulnerabilities
  • Use ICS network traffic monitoring, analysis, and detection product Kaspersky Industrial CyberSecurity for Networks for better protection from attacks which potentially threaten technological processes and main enterprise assets. The special Command Control module detects the exploitation of vulnerabilities in UMAS protocol, when an attacker attempts to execute the command “Reserve controller”. Another module Network Integrity Control registers unauthorised network connections. All events are combined into an incident and sent to the administrator for further investigation.
  • Put in place dedicated security training for IT security teams and OT engineers, to improve response to new and advanced malicious techniques
  • Provide the security team responsible for protecting industrial control systems with up-to-date threat intelligence. Our ICS Threat Intelligence Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements in OT and industrial control systems and how to mitigate them

 Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. Kaspersky ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats.


Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.