Cryptographic deadly sins and the security of Modicon M100/M200/M221

Schneider Electric has issued an advisory regarding vulnerabilities of various severity levels (from 3.1 to 7.1) in their Modicon M100/M200/M221 PLCs. The vulnerabilities are due to shortcomings in the implementation of cryptographic data protection features.

The January 12 advisory confirms that the vulnerabilities in the Modicon M221 PLC series described by Claroty and Trustwave in November 2020 also affect the Modicon M100 and M200 series.

The vulnerabilities affect the proprietary mechanism designed to protect data transmitted via Modbus (502/tcp). Specifically, it is the recently developed mechanism for setting passwords for the communications between the controller and software on the engineering computer that is vulnerable.

The researchers provide a generic statement regarding “some shortcomings” in the implementation of authentication and data encryption mechanisms. In fact, what is being described are some of the cryptographic ‘deadly sins’:

• Using extremely short (only 4 bytes) keys and secrets;
• Using current timestamps as inputs for generating pseudo-random numbers;
• Modifying known encryption algorithms or using proprietary algorithms;
• Using XOR to encrypt passwords or data;
• Combining encrypted and unencrypted data.

These so-called shortcomings do more than just allow various types of attacks. Together they make each other more dangerous and sometimes even allow threat actors to identify keys directly in captured traffic without applying any additional automation.

The Claroty researchers identify the vulnerable secret sharing algorithm as Diffie-Hellman, whereas the Trustwave researchers refer to a nameless shared “key generation function” (and show the pseudo-code, which is different from the Diffie-Hellman implementation). In any case, the discussion is about a mutual exchange of 4-byte pseudo-random numbers. Trustwave mentions that in certain cases the space to search through in an exhaustive key search is reduced to only two bytes.

Using XOR encryption with a 4-byte key renders even this key search unnecessary. If there is a sufficiently large number of known byte sequences repeated in traffic or a sufficient number of 4-byte NULL strings, the key can be deduced ‘by sight’. A padding oracle attack is based on identifying and analyzing encrypted sequences created from the same plain text. In this case, it is sufficient to search the packet body for identical four-byte sequences – they are highly likely to represent the key on which the XOR 0x00000000 operation has been performed. If the key could not be identified in this way, other predictable values in the packet’s data field can be analyzed. Mixing encrypted and unencrypted data facilitates this analysis.

Further technical details can be found in the Claroty and Trustwave reports. A detailed review of these reports can provide multiple ideas for recommendations to vendors that implement data security mechanisms in their software. However, the main idea is to make sure to have security experts evaluate the strength of the chosen security mechanisms, particularly as regards encryption.

Vulnerability information publication date: November 10, 2020; updated on January 12, 2021

Sources: Schneider Electric, Claroty, Trustwave